Colubris Networks Configuration Guide

Similar documents
Quick Start Guide. WRV210 Wireless-G VPN Router with RangeBooster. Cisco Small Business

NBG2105. User s Guide. Quick Start Guide. Wireless Mini Travel Router. Default Login Details. Version 1.00 Edition 1, 11/2012

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Mikrotik Router OS - Setup and Configuration Guide for Aradial Radius Server

Chapter 1 Configuring Internet Connectivity

MN-700 Base Station Configuration Guide

Chapter 3 Management. Remote Management

Chapter 6 Using Network Monitoring Tools

Wireless Local Area Networks (WLANs)

Wireless G Broadband quick install

How To Check If Your Router Is Working Properly On A Nr854T Router (Wnr854) On A Pc Or Mac) On Your Computer Or Ipad (Netbook) On An Ipad Or Ipa (Networking

Unified Access Point Administrator's Guide

IEEE a/ac/n/b/g Enterprise Access Points ECW5320 ECWO5320. Management Guide. Software Release v

Chapter 6 Using Network Monitoring Tools

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

PePWave Surf Series PePWave Surf Indoor Series: Surf 200, AP 200, AP 400

NETVIGATOR Wireless Modem Setup Guide. (TG789Pvn)

Chapter 4 Management. Viewing the Activity Log

Preparing the Computers for TCP/IP Networking

How To Check If Your Router Is Working Properly

WRE6505. User s Guide. Quick Start Guide. Wireless AC750 Range Extender. Default Login Details. Version 1.00 Edition 1,

P-660HWP-Dx. Quick Start Guide g HomePlug AV ADSL2+ Gateway. Version /2007 Edition 1. Copyright All rights reserved.

P-660HN n Wireless ADSL2+ 4-port Gateway DEFAULT LOGIN DETAILS. Firmware Version 1.10 Edition 1, 9/2010. IP Address:

DSL-2600U. User Manual V 1.0

Steps for Basic Configuration

ASUS WL-5XX Series Wireless Router Internet Configuration. User s Guide

Installing Cable Modem Software Drivers

GWA501 package contains: 1 Wireless-G Broadband Gateway 1 Power Adapter 1 Ethernet Cable 1 Manual CD 1 Quick Start Guide 1 Warranty/Registration Card

Chapter 1 Configuring Basic Connectivity

BASIC INSTRUCTIONS TO CONFIGURE ZYXEL P8701T CPE USING THE WEB INTERFACE

CONCEPTRONIC C54BRS4A g Wireless Broadband Router

Technical White Paper

GWA502 package contains: 1 Wireless-G Broadband Router 1 Power Adapter 1 Ethernet Cable 1 Manual CD 1 Quick Start Guide 1 Warranty/Registration Card

N300 WiFi Range Extender WN2000RPT User Manual

Hardware overview. Package contents MSM310, documentation, two 2.4-GHz (2-dBi) / 5-GHz (2-dBi) dual-mode omnidirectional antennas.

Intel Active Management Technology with System Defense Feature Quick Start Guide

Initial Access and Basic IPv4 Internet Configuration

Chapter 4 Customizing Your Network Settings

Management Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version Rev.

Half Bridge mode }These options are all found under Misc Configuration

Configuration Guide. How to Configure SSL VPN Features in DSR Series. Overview

Interlink Networks Secure.XS and Cisco Wireless Deployment Guide

Configuration Manual English version

N450 Wireless Router WNR2500

Apple Airport Extreme Base Station V4.0.8 Firmware: Version 5.4

V310 Support Note Version 1.0 November, 2011

Quick Installation Guide

N300 Wireless Router WNR2000v4 User Manual

Configuring Settings on the Cisco Unified Wireless IP Phone 7925G

LevelOne WAP User s Manual. 108 Mbps Wireless Access Point

Chapter 2 Connecting the FVX538 to the Internet

Multifunctional Broadband Router User Guide. Copyright Statement

This section will focus on basic operation of the interface including pan/tilt, video, audio, etc.

Application Note Startup Tool - Getting Started Guide

Chapter 3 Safeguarding Your Network

Layer 2 / Layer 3 switches and multi-ssid multi-vlan network with traffic separation

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

P-2302HWUDL-P1. Quick Start Guide g Wireless VoIP Station Gateway. with Built-in DECT Base Station

Configuring a BEC 7800TN Wireless ADSL Modem

AP6511 First Time Configuration Procedure

Wireless-N. User Guide. PCI Adapter WMP300N (EU) WIRELESS. Model No.

Quick Installation Guide of WLAN Broadband Router

Chapter 10 Troubleshooting

NBG6815. User s Guide. AC2200 MU-MIMO Dual-Band Wireless Gigabit Router. Quick Start Guide. Default Login Details. Version 1.00 Edition 1, 02/2016

Unified Access Point (AP) Administrator s Guide

Hillstone StoneOS User Manual Hillstone Unified Intelligence Firewall Installation Manual

UIP1868P User Interface Guide

Quick Start Guide for Zone Director Controller

10/ English Edition 1. Quick Start Guide. NWA1100N-CE CloudEnabled Business N Wireless Access Point

STATIC IP SET UP GUIDE

Quick Start Guide. RV 120W Wireless-N VPN Firewall. Cisco Small Business

User Manual. PePWave Surf / Surf AP Indoor Series: Surf 200, E200, AP 200, AP 400. PePWave Mesh Connector Indoor Series: MC 200, E200, 400

WAP3205 v2. User s Guide. Quick Start Guide. Wireless N300 Access Point. Default Login Details. Version 1.00 Edition 2, 10/2015

Integrating a Hitachi IP5000 Wireless IP Phone

Router Setup Manual. NETGEAR, Inc Great America Parkway Santa Clara, CA USA

NBG6816. User s Guide. Quick Start Guide. Simultaneous Dual-Band Wireless AC2350 Ultra HD Media Router. Default Login Details

Configure WorkGroup Bridge on the WAP131 Access Point

Linksys Wireless G WRT54G

User guide for NANOSTATION 2

WRE2205. User s Guide. Quick Start Guide. Wireless N300 Range Extender. Default Login Details. Version 1.00 Edition 1, 06/2012

Linksys WAP300N. User Guide

Wireless-N. User Guide. Broadband Router WRT300N (EU/LA) WIRELESS. Model No.

Unified Access Point Administrator s Guide

Configuring Network Address Translation (NAT)

ProSAFE 8-Port and 16-Port Gigabit Click Switch

VPN Configuration Guide. Dell SonicWALL

Mobility System Software Quick Start Guide

How To Set Up A Computer With A Network Connection On A Cdrom 2.5 (For A Pc) Or Ipad (For Mac) On A Pc Or Mac Or Ipa (For Pc) On An Ipad Or Ipro (

How To Configure L2TP VPN Connection for MAC OS X client

Wireless-N. User Guide. Broadband Router WRT300N WIRELESS. Model No.

Customer Installation Guide NBG-4615 v2 ZyXEL Wireless Router

Nokia E90 Communicator Using WLAN

How to Create a Basic VPN Connection in Panda GateDefender eseries

A Division of Cisco Systems, Inc. Wireless-G. User Guide. Broadband Router WIRELESS WRT54GL (EU/LA) Model No.

Mobile Router MR600 User Guide

Abstract. Avaya Solution & Interoperability Test Lab

StoneGate Installation Guide

SOHO 6 Wireless Installation Procedure Windows 95/98/ME with Internet Explorer 5.x & 6.0

Transcription:

Colubris Networks Configuration Guide

Release 4.1 (February 2006) 43-10-0000-00 Copyright 2006 Colubris Networks, Inc. All rights reserved, including those to reproduce this document or parts thereof in any form without written permission from Colubris Networks, Inc. Colubris is a registered trademark, and the Colubris Networks logo, the tag line The Intelligent Wireless Networking Choice, InReach, InMotion, InCharge, and TriPlane are trademarks of Colubris Networks, Inc., in the United States and other countries. All other product and brand names are the service marks, trademarks, registered trademarks, or registered service marks of their respective owners. Changes are periodically made to the information herein; these changes will be incorporated into new editions of the document. You can download the most up-to-date product information from the Colubris Networks website. Go to www.colubris.com and on the homepage at left select Support > Product Registration. Colubris Networks, Inc. 200 West Street Ste 300 Waltham, Massachusetts 02451-1121 UNITED STATES Phone: +1 781 684 0001 Fax: +1 781 684 0009 Sales Information sales@colubris.com Customer Support support@colubris.com Training training@colubris.com http://www.colubris.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Contents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Contents Chapter 1 Introduction 5 About this guide...6 Software compatibility matrix...8 Typographical conventions...9 Warnings, cautions, and notes...10 Related documents...11 Chapter 2 Management 13 In this chapter...14 Management Tool overview...15 Management station...15 Administrator account...15 Security...15 Validating administrator logins using a RADIUS server...16 Remote management...17 How it works...17 Configuration road map...18 Chapter 3 Public access deployment 21 In this chapter...22 Scenario 1a: Hotspot with Internet access (local mode)...23 How it works...23 Configuration road map...24 Scenario 1b: Hotspot with custom interface (local mode)...26 How it works...26 Configuration road map...27 Scenario 1c: Hotspot with satellites and roaming (local mode)...29 How it works...29 Configuration road map...30 Scenario 1d: Hotspot with layer 2 security (local mode)...32 How it works...32 Configuration road map...33 Scenario 2a: Hotspot with Internet access (AAA server)...35 How it works...35 Configuration road map...36 Scenario 2b: Hotspot with custom interface (AAA server)...39 How it works...39 Configuration road map...40 Scenario 2c: Hotspot with satellites and roaming (AAA server)...42 How it works...42 Configuration road map...43 Scenario 2d: Hotspot with layer 2 security (AAA server)...45 How it works...45 Configuration road map...46 Scenario 2e: Using dual radios to support A+B+G traffic...49 How it works...49 Configuration road map...49 Scenario 3: Shared hotspot for public and private traffic...50 How it works...50 Configuration road map...51 Scenario 4: Delivering custom HTML pages using VLANs (AAA server)...54 How it works...54 Configuration road map...55 Scenario 5: Custom HTML pages on each MAP (local mode)...59 How it works...59 Configuration road map...60 Chapter 4 Enterprise deployment 63 In this chapter...64 Scenario 1: Adding secure wireless networking...65 How it works...65 Configuration road map...65 Scenario 2a: Integrating wireless networking with authentication...67 How it works...67 Configuration road map...67 Scenario 2b: Using multiple wireless profiles and QoS...69 How it works...69 Configuration road map...70 Scenario 2c: Supporting wireless phones...71 How it works...71 Configure the VSC...72 Scenario 3: Adding wireless networking to a segmented network...73 How it works...73 Configuration road map...74 Scenario 4: Roaming across different subnets (single MSC)...77 How it works...77 Configuration road map...78 Scenario 5: Roaming across different subnets (multiple MSCs)...80 How it works...80 Configuration road map...81 Scenario 6: Access-controlled VSCs and roaming...83 How it works...83 Configuration road map...85 Chapter 5 WDS scenarios 91 In this chapter...92 Wireless bridging considerations...93 Single or dual radios?...93 Using 802.1a for WDS...93 Scenario 1: Using RF extension to expand a wired network...94 How it works...94 Configuration road map...95 Scenario 2: Deploying a point-to-point wireless link...98 How it works...98 Configuration road map single radio...99 Configuration road map dual radios...101 Scenario 3: Setting up multi-hop wireless links...104 How it works...104 Configuration road map...105 Chapter 6 More from Colubris 109 Colubris.com...110 For registered customers...110 For Annual Maintenance Support Program customers...110 Information by telephone and e-mail...111 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Contents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 1: Introduction Chapter 1 Introduction In this chapter you can find an explanation of the conventions used in this guide and an overview of its contents. For information on using different software revisions in your Colubris subnetwork, see the Software compatibility matrix on page 8.

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1 About this guide This guide contains a number of detailed scenarios for using Colubris Networks MultiService Access Points (MAPs) and MultiService Controllers (MSCs) in a wide range of applications. Although detailed configuration steps are provided with each scenario, the guide does not cover the basic procedures for operating and configuring Colubris Networks devices. This information can be found in the Administrator s Guide for each device (For a list see page 11.) You should be familiar with this information before attempting to use the scenarios in this guide. The scenarios are grouped according to functionality as follows: Chapter 2: Management Scenario/Topic See page Management Tool overview 15 Validating administrator logins using a RADIUS server 16 Remote management 17 Chapter 3: Public access deployment Scenario/Topic See page Scenario 1a: Hotspot with Internet access (local mode) 23 Scenario 1b: Hotspot with custom interface (local mode) 26 Scenario 1c: Hotspot with satellites and roaming (local mode) 29 Scenario 1d: Hotspot with layer 2 security (local mode) 32 Scenario 2a: Hotspot with Internet access (AAA server) 35 Scenario 2b: Hotspot with custom interface (AAA server) 39 Scenario 2c: Hotspot with satellites and roaming (AAA server) 42 Scenario 2d: Hotspot with layer 2 security (AAA server) 45 Scenario 2e: Using dual radios to support A+B+G traffic 49 Scenario 3: Shared hotspot for public and private traffic 50 Scenario 4: Delivering custom HTML pages using VLANs (AAA server) 54 Scenario 5: Custom HTML pages on each MAP (local mode) 59 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1 Chapter 4: Enterprise deployment Scenario/Topic See page Scenario 1: Adding secure wireless networking 65 Scenario 2a: Integrating wireless networking with authentication 67 Scenario 2b: Using multiple wireless profiles and QoS 69 Scenario 2c: Supporting wireless phones 71 Scenario 3: Adding wireless networking to a segmented network 73 Scenario 4: Roaming across different subnets (single MSC) 77 Scenario 5: Roaming across different subnets (multiple MSCs) 80 Scenario 6: Access-controlled VSCs and roaming 83 Chapter 5: WDS scenarios Scenario/Topic See page Wireless bridging considerations 93 Scenario 1: Using RF extension to expand a wired network 94 Scenario 2: Deploying a point-to-point wireless link 98 Scenario 3: Setting up multi-hop wireless links 104 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1 Software compatibility matrix As part of the Colubris Intelligent MultiService System (CIMS), InCharge MultiService Controllers (MSCs) and MGW-3500 MultiService Gateways must be configured with compatible InReach MultiService Access Points and Colubris Networks wireless client bridges. Following is a software release compatibility matrix that shows you which software versions can be mixed in your CIMS. In general, MSCs and MGWs support access point products that are at the same software release or one software release behind. Note: If you upgrade your Colubris Networks access controller products to the 4.1.0 release, all managed access points must be at either 4.1.0 or 3.1.x. Stand-alone access points can run any firmware version. However, Colubris strongly recommends that you deploy the same firmware release for all access points in your network. Supported software version on Colubris access controllers MSC-3200 d MSC-3300 e MGW-3500 MSC-5200 Supported software version on Colubris access points and client bridges WAP-200 MAP-320 a MAP-330 b MAP-330 Sensor c WCB-200 c 2.4.x Not supported 2.4.x 2.4.x N/A N/A 3.1.x 3.1.x 3.1.x, 2.4.x 3.1.x, 2.4.x N/A N/A 4.1.x 4.1.x, 3.1.x 4.1.x, 3.1.x 4.1.x, 3.1.x N/A N/A MSC-5500 MSC-5200/MSC-5500 plus COS Services Pack f 3.1.x 3.1.x 3.1.x, 2.4.x 3.1.x, 2.4.x N/A N/A 4.1.x 4.1.x, 3.1.x 4.1.x, 3.1.x 4.1.x, 3.1.x N/A N/A 4.1.x N/A 4.1 only 4.1 only N/A N/A a. Includes product variants MAP-320R and MAP-320S. b. Includes ruggedized product variant MAP-330R. c. MAP-330 Sensors and WCB-200 wireless client bridges do not interact with an MSC or MGW and can be used in these networks at any supported software version. d. Includes ruggedized product variant MSC-3200R. e. Includes ruggedized product variant MSC-3300R. f. In order to use the mobility services features in 4.1.0 including both Layer 2 fast and secure authentication and Layer 3 mobility you must upgrade associated MAPs to the 4.1.0 release. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1 Typographical conventions The following table gives the typographical conventions used in Colubris Networks technical documentation. Example Network > Ports ip_address use-access-list=usename ssl-certificate=url [ %s ] Description When referring to the Management Tool web interface, items in bold identify menu commands or input fields. Submenus are indicated by the > sign. The example refers to the Ports submenu, which is found under the Network menu. Items in italics identify parameters for which you must supply a value. Monospaced text identifies command-line output, program listings, or commands that you enter into configuration files or profiles. Square brackets identify optional arguments. That is, you can decide whether to enter the argument. Do not enter the brackets. [ ONE TWO ] A vertical line indicates mutually-exclusive choices. That is, you can specify only one item. { ONE TWO } Curly brackets group required arguments. Note: The Management Tool web interface is an element management system that is distinct from the Colubris Networks InCharge network management system, CNMS. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1 Warnings, cautions, and notes The following table explains some of the special symbols used in Colubris Networks technical documentation. Lead Warning! Caution! Note: Description Warnings provide information that you must follow to avoid risk of physical injury. Cautions provide information that you must follow to avoid damage to the hardware or software components of the system. Notes provide important information about a procedure or topic. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1 Related documents The following documents provide additional information. You can find instructions on how to download additional documentation on the copyright page. Document Provides you with... Quickstart Guides Administrator Guides Public Access Administrator Guide Engineering Release Notes Hardware and startup information for the Colubris Networks devices mentioned in this guide. Hardware and configuration information for the Colubris Networks devices mentioned in this guide. Detailed discussions on configuring the public access interface provided by MSC devices. Specific information about the latest release of Colubris Networks firmware, including the newest features, fixes, and known issues. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 2: Management Chapter 2 Management In this chapter you can find scenarios that illustrate strategies for managing one or more devices across various network topologies.

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 In this chapter This chapter contains the following topics. Scenario/Topic See page Management Tool overview 15 Validating administrator logins using a RADIUS server 16 Remote management 17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 Management Tool overview The Management Tool is a Web-based interface to the MAP/MSC that provides easy access to all configuration functions. Note: The Management Tool web interface is an element management system that is distinct from the Colubris Networks InCharge network management system. Management station Management station refers to the computer that an administrator uses to connect to the Management Tool. To act as a management station, a computer must Have a JavaScript-enabled Web browser installed; that is, Netscape 7.01 or higher, or Internet Explorer 6.0 or higher, including all updates Be able to establish an IP connection with the MAP/MSC, either through the wireless port or LAN ports Administrator account Administrator password Access to the Management Tool is protected by a username and password. The factory default setting for both is admin. Colubris Networks recommends that you change both on the Management tool configuration page, which you can access by selecting Management > Management tool. Caution! If you forget the administrator password, the only way to gain access to the Management Tool is to reset the MAP/MSC to factory default settings. Account policy To maintain the integrity of configuration settings, only one administrator can be connected to the Management Tool at a given time. To prevent the Management Tool from being locked up by an idle administrator, two mechanisms are in place: If a administrator s connection to the Management Tool remains idle for more than ten minutes, the MAP/MSC automatically logs the administrator out. If a second administrator connects to the Management Tool and logs in with the correct username and password, the first administrator s session is terminated. (Default setting) If required, you can disable this mechanism on the Management tool configuration page, which you can access by selecting Management > Management tool. Security The Management Tool is protected by the following security features: HTTPS: Communications between the management station and the MAP/MSC occurs through HTTPS. Before logging on to the Management Tool, administrators must accept a Colubris Networks certificate. You can replace this certificate with your own. Port blocking: Access to the Management Tool can be explicitly enabled or disabled for a variety of interfaces depending on the type of unit. Available options may include: wireless port, LAN port, Internet port, VLAN, GRE, or WDS. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 Validating administrator logins using a RADIUS server You can use a RADIUS server to authenticate logins to the Management Tool. One advantage of this method is that it enables you to create several administrator accounts, each with its own username and password. Caution! Ensure that the RADIUS profile you select is configured and that the administrator account is defined on a functioning RADIUS server. If not, you will not be able to log back into the MAP because the administrator password cannot be authenticated. Use the following steps to configure RADIUS authentication. 1. Create a RADIUS profile to use for administrator authentication: Select Security > RADIUS. Click Add New Profile. Define settings for the RADIUS server that you want to use to validate administrator logins. Click Save. 2. Specify this RADIUS profile for administrator authentication: Select Management > Management tool. Under Administrator authentication Authenticate via, select the RADIUS profile that you created in the first step. Under Username, enter the login name for the administrator. Default is admin. Under Current password, enter the administrator password. Default is admin. Under New password, enter the new administrator password. New passwords must be at least six characters long and contain at least four different characters. Under Confirm new password, retype the new administrator password. As a precaution, you can enable the Try local account if RADIUS is unreachable feature to allow access if the RAIDUS server is down. Click the Test button to verify that authentication is working. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 Remote management This scenario shows you how to set up an MSC to provide remote management of the MAPs connected to it. How it works When a MAP is installed behind an MSC, enabling remote access to its management tool requires configuration settings to be defined on the MSC and the RADIUS server. This section explains how to configure remote management for the following two topologies: Topology A Topology B RADIUS server 20.1 Management station 20.4 192.168.20.0 RADIUS server 20.2 VPN server VPN tunnel 192.168.20.0 20.1 Management station 20.3 30.1 (address in VPN tunnel) 30.3 (address in VPN tunnel) Router MSC 10.1 M S C 192.168.10.0 MSC M S C 30.2 (address in VPN tunnel) 1.1 1.1 192.168.1.0 192.168.1.0 1.2 MAP 1.3 MAP 1.2 MAP 1.3 MAP PUBLIC WL AN PUBLIC WL AN PUBLIC WL AN PUBLIC WL AN A B A B - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 Configuration road map On the management station To reach the management tool on the MAPs, the management station must specify the following addresses in its web browser: Topology A To reach MAP A: HTTPS://192.168.10.1:5002 To reach MAP B: HTTPS://192.168.10.1:5003 Topology B To reach MAP A: HTTPS://192.168.30.2:5002 To reach MAP B: HTTPS://192.168.30.2:5003 Static NAT mappings are used on the MSC to direct traffic to the proper MAP. MAC address authentication enables the MAPs to log into the public access network. Access list definitions allow traffic to be sent from the MSCs to the management stations. Configure the MSCs Create static NAT mappings To direct management traffic to the proper MAP, you need to create static NAT mappings (on the Network > NAT page) to redirect HTTPS traffic to the new ports you defined on the MAPs. Map traffic on port 5002 to IP address 192.168.1.2 and port 443. Map traffic on port 5003 to IP address 192.168.1.3 and port 443. Configure the RADIUS server Create an MSC profile Create a RADIUS profile for the MSC as follows: MAC address authentication For the MAP to communicate with the management station, it must log into the public access network provided by the MSC. To accomplish this, add a MAC address attribute to the MSC s RADIUS profile for each MAP. This attribute enables the access controller to authenticate devices (such as the MAPs) based on their MAC address. For example: mac-address=address[,username[,password]] Replace address and username with the MAC address of the MAP. Replace password with the same password that the MSC uses to communicate with the RADIUS server. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 A note about security Access list In both topology A and B it makes sense to protect access to the RADIUS server and management station. This is required because once logged in, public access customers gain access to all resources connected to the MSCs Internet port. An access list definition can be used to block all traffic to 192.168.20.0, for topology A, and 192.168.30.0, for topology B. However, to enable the MAPs and the management station to communicate, an additional access list definition must be created as follows: Topology A: Create an access list that permits HTTPS traffic to address 192.168.20.4. This is the IP address of the management station. For example: access-list=320,accept,tcp,192.168.20.4,443 Topology B: The list should permit HTTPS traffic to address 192.168.30.3. This is the IP address of the management station inside the VPN tunnel. access-list=320,accept,tcp,192.168.30.3,443 Create a MAP profile Define a RADIUS profile for each MAP. The profile should activate the access list that was defined in the MSC s RADIUS profile. For example: use-access-list=320 Create a user account for each MSC Define a RADIUS user account for each MSC. Define a unique username and password for each device. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3: Public access deployment Chapter 3 Public access deployment In this chapter you can find sample deployment strategies for common public access scenarios. These scenarios can give you a good idea about how to approach your installation.

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 In this chapter This chapter contains the following scenarios. Scenario/Topic See page Scenario 1a: Hotspot with Internet access (local mode) 23 Scenario 1b: Hotspot with custom interface (local mode) 26 Scenario 1c: Hotspot with satellites and roaming (local mode) 29 Scenario 1d: Hotspot with layer 2 security (local mode) 32 Scenario 2a: Hotspot with Internet access (AAA server) 35 Scenario 2b: Hotspot with custom interface (AAA server) 39 Scenario 2c: Hotspot with satellites and roaming (AAA server) 42 Scenario 2d: Hotspot with layer 2 security (AAA server) 45 Scenario 2e: Using dual radios to support A+B+G traffic 49 Scenario 3: Shared hotspot for public and private traffic 50 Scenario 4: Delivering custom HTML pages using VLANs (AAA server) 54 Scenario 5: Custom HTML pages on each MAP (local mode) 59 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

LAN port Internet port Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Scenario 1a: Hotspot with Internet access (local mode) This installation shows you how to quickly deploy and test the MSC without installing a RADIUS server. Instead, customer authentication is handled locally on the MSC. How it works In this scenario a single MSC (with radio) is installed to provide a wireless network and access to the Internet. The MSC is connected to the Internet by way of a broadband modem, and the Internet connection is protected by the MSC s firewall and NAT features (which are enabled by default). 1.2 1.3 LAN 192.168.1.0 MSC 1.4 PUBLIC WL AN 1.7 1.5 1.6 A local area network is connected to the MSC s LAN port to support wired customers. The MSC acts as the DHCP server on both the wireless and wired networks which are bridged together on subnet 192.168.1.0. The MSC is operating in local mode, which means that: Customer authentication is handled locally by the MSC and accounts are created on the MSC for each customer. There is no support for accounting. A RADIUS server is not required to activate the public access interface. Instead, the default public access interface resident on the MSC is used by customers to login and manage their sessions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Configuration road map Install the MSC 1. Install the MSC as described in its Quickstart guide. 2. Connect the Internet port to a broadband modem and then restart the modem. 3. Connect the LAN port to the local area network. 4. Start the management tool. Configure the wireless network By default the MSC is configured to: automatically choose the best operating channel (frequency) support 802.11b/g clients create a wireless network named Colubris Networks There is no need to change these settings for this scenario. Note: By default, one radio on the MSC-3300 is used to provide the wireless network and the other is placed into Monitor mode. Configure the Internet connection 1. Select Network > Ports > Internet port. 2. Select the addressing option supported by your ISP and click Configure. 3. Define all settings as required by your ISP. Define the list of users 1. Select Security > Users. 2. Add usernames and passwords for all users/customers. Test the public access interface To test your installation, use a wireless client station to log onto the public access interface. (For this to work, the MSC must be configured as the client s default gateway. This is done by default if the wireless client is using DHCP.) 1. Start the client station s web browser and enter the IP address (or domain name) of a web site on the Internet. 2. The MSC should intercept the URL and display the Login page. (Depending on the type of certificate that is installed on the MSC, you may see a security warning first.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 3. Specify a valid customer name and password to login. 4. The Session page will open. 5. Next, you are automatically redirected to the web site you originally requested. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

LAN port Internet port Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Scenario 1b: Hotspot with custom interface (local mode) This scenario adds custom settings to the default public access interface used in Scenario 1a. This installation illustrates how to customize the operation of the public access interface while running in local mode. How it works In this scenario, a web server is used to store custom pages for the public access interface. The MSC loads these pages each time it is restarted. There are two ways to deploy this scenario. Topology 1 In this version, the web server is located on the Internet. Web server 1.2 1.3 LAN 192.168.1.0 1.1 MSC 1.4 PUBLIC WL AN 1.7 1.5 1.6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

LAN port Internet port Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Topology 2 In this version the web server is located on local LAN B. Instead of being directly connected to the Internet, the MSC is also connected to local LAN B which provides a router/firewall to handle the connection to the Internet. 1.2 1.3 Web server 5.1 Router Firewall LAN A LAN B 192.168.1.0 192.168.5.0 1.1 5.2 MSC 1.4 PUBLIC WL AN 1.7 1.5 1.6 In this scenario, the web server is also the DHCP server for LAN B, operating on subnet 192.168.5.0. The MSC s Internet port is set to operate as a DHCP client. Configuration road map Important: Start with the configuration defined in Scenario 1a. Configure the Internet port (Topology 2 only) 1. Select Network > Ports > Internet port. 2. Select DHCP Client and click Save. Customize the login page and logo 1. Create a folder called newpages on the web server. 2. Create a file called logo.gif that contains your logo and place it in the newpages folder (recommended size less than 20K). This same image file is shared by all pages. 3. Download the current QuickSetup.zip file from the Colubris Support website. (Go to www.colubris.com and on the home page at left select Support > Product Registration.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 4. Copy the following files from the current QuickSetup.zip file and place them in the newpages folder. login.html transport.html session.html fail.html 5. Edit login.html to meet the requirements of your site, keeping the following restrictions in mind: Do not alter the ID tags <!-- Colubris --> & <!-- Custom --> located at the top of the page. Do not alter any JavaScript code. 6. Open the Security > Local config page and define the following attributes: login-page=web_server_url/newpages/login.html transport-page=web_server_url/newpages/transport.html session-page=web_server_url/newpages/session.html fail-page=web_server_url/newpages/fail.html logo=web_server_url/newpages/logo.gif Test the public access interface To test your installation, use a wireless client station to log onto the public access interface. (For this to work, the MSC must be configured as the client s default gateway. This is done by default if the wireless client is using DHCP.) 1. Start the client station s web browser and enter the IP address (or domain name) of a web site on the Internet. 2. The MSC should intercept the URL and display the modified Login page. (Depending on the type of certificate that is installed on the MSC, you may see a security warning first.) 3. To login, specify a valid customer name and password. The Session page should open. 4. Next, you are automatically redirected to the web site you originally requested. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 28 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

LAN port Internet port Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Scenario 1c: Hotspot with satellites and roaming (local mode) This scenario adds multiple MAPs to extend the wireless network in Scenario 1b. MAP devices can be used to extend the reach of the public access network created by an InMotion MultiService Controller (MSC). How it works In this scenario several MAP devices are connected to an MSC by way of a backbone LAN to provide multiple wireless cells for large physical location. Customers can log into the public access network at any location and can roam between access points without losing their connection. By default, each MAP is configured as a DHCP client and obtains its address from the MSC, which by default is configured as the DHCP server. Customer authentication is handled locally by the MSC, and accounts are created on the MSC for each customer. There is no support for accounting. Note: This scenario can also be created using an MSC with no radio, in which case wireless cells are only provided by the MAP devices. When using non-radio MSC units, the DHCP server option must be enabled manually on the MSC. The following diagrams illustrate how the two topologies described in Scenario 1b can be modified to support satellites and roaming. In both cases the configuration procedure is the same. Topology 1 Web server 1.2 1.3 192.168.1.0 LAN MAP 1.9 MAP 1.8 MSC 1.1 PUBLIC WL AN PUBLIC WL AN 1.4 PUBLIC WL AN 1.7 1.5 1.6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 29 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

LAN port Internet port Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Topology 2 1.2 1.3 Web server 192.168.1.0 5.1 Router Firewall LAN A LAN B MAP 1.9 MAP 1.8 MSC 1.1 5.2 192.168.5.0 PUBLIC WL AN PUBLIC WL AN 1.4 PUBLIC WL AN 1.7 1.5 1.6 Configuration road map Important: Start with the configuration defined in Scenario 1a. Install the MAPs 1. Install the MAPs as described in the appropriate quickstart guide. 2. Before you connect each unit to the LAN, start the Management Tool and configure each unit as described in the sections that follow. Configure the wireless network By default the MAPs are configured to: support 802.11b/g clients automatically choose the best operating channel (frequency) create a wireless network named Colubris Networks There is no need to change these settings for this scenario. Note: All wireless networks must have the same name in order to support roaming. Set the shared secret on the MSC 1. Select Security > Authentication > Advanced Settings. 2. In the Access controller shared secret box, set Shared secret and Confirm shared secret to a unique string. For example: xr2t56. This password will be used by the MAPs to connect to the MSC when they send authentication requests. 3. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Configure the connection to the MSC on the MAPs Each MAP will use the services of the MSC to authenticate customer logins. Do the following on each MAP. 1. Select VSC > Profiles. 2. Click the Colubris Networks profile to edit it. 3. In the General box, select the Use Colubris access controller check box. 4. Click Save. 5. Select Security > Access controller 6. Set the Access controller shared secret to match the secret set on the MSC. 7. Click Save. Note: By default the MAP is set up to use the default gateway assigned by DHCP as the access controller. Do not change this setting. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

LAN port Internet port Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Scenario 1d: Hotspot with layer 2 security (local mode) This scenario adds support for WEP and WPA clients to scenario 1c. Enabling support for WEP and WPA helps to protect wireless transmissions against eavesdropping. How it works This scenario creates three virtual service communities (VSCs) on each device. Each VSC provides support for a different security option: WEP, WPA (with preshared key), and none. To connect with the wireless network, customers must select the SSID of the VSC that matches the option that they want to use. Roaming is supported, since the same VSCs are defined on all access points. The following diagrams illustrate how the two topologies described in Scenario 1c can be modified to support layer 2 security. In both cases the configuration procedure is the same. Topology 1 1.2 1.3 Web server 192.168.1.0 LAN SSID None MAP SSID WEP 1.5 SSID WPA SSID None MAP SSID WEP 1.4 SSID WPA SSID None MSC 1.1 SSID WPA SSID WEP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 32 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

LAN port Internet port Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Topology 2 1.2 1.3 Web server 192.168.1.0 5.1 Router Firewall LAN A LAN B SSID None MAP SSID WEP 1.5 SSID WPA SSID None MAP SSID WEP 1.4 SSID WPA SSID None MSC 1.1 5.2 192.168.5.0 SSID WPA SSID WEP Configuration road map Important: Start with the configuration defined in Scenario 1c. Create VSCs on the MAPs Use the following steps to create three virtual service communities on all MAPs. 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as None. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name (SSID) as None. Click Save. 4. On the Virtual Service Communities page, click Add new profile. 5. On the Add/Edit Virtual Service Community page: Under General, enter the Name as WEP. Under General, enable the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name (SSID) as WEP. Under Wireless protection: Select the checkbox and choose WEP. For Key, specify 13 ASCII characters as the key. Click Save. 6. On the Virtual Service Communities page, click Add new profile. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 33 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 7. On the Add/Edit Virtual Service Community page: Under General, enter the Name as WPA. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name (SSID) as WPA. Under Wireless protection: Select the checkbox and leave the default setting of WPA. For Mode, select WPA or WPA2. For Key source, select Preshared key. For Key and Confirm key, set a unique key value. Click Save. Create VSCs on the MSC Use the following steps to create virtual service communities on the MSC that match each VSC you configured on the MAPs: 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as None. Under Virtual AP, enter the WLAN name (SSID) as None. Click Save. 4. On the Virtual Service Communities page, click Add new profile. 5. On the Add/Edit Virtual Service Community page: Under General, enter the Name as WEP. Under Virtual AP, enter the WLAN name (SSID) as WEP. Under Wireless protection: Select the checkbox and choose WEP. For Key, specify the same 13 ASCII characters you defined on the MAPs. Click Save. 6. On the Virtual Service Communities page, click Add new profile. 7. On the Add/Edit Virtual Service Community page: Under General, enter the Name as WPA. Under Virtual AP, enter the WLAN name (SSID) as WPA. Under Wireless protection: Select the checkbox and leave the default setting of WPA. For Mode, select WPA or WPA2. For Key source, select Preshared key. For Key and Confirm key, set the same unique key value you defined on the MAPs. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 34 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

LAN port Internet port Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Scenario 2a: Hotspot with Internet access (AAA server) This installation shows you how to create a public access network using an AAA (authentication, administration, accounting) RADIUS server to handle customer authentication. How it works In this scenario a single MSC is installed to provide a wireless network and access to the Internet. A local area network is connected to the MSC s LAN port to support wired customers. The MSC acts as the DHCP server on both the wireless and wired networks which are bridged together on subnet 192.168.1.0. A RADIUS server (either local or remote) provides services for customer authentication and accounting. There are two ways to deploy this scenario as illustrated by topology 1 and topology 2 in the sections that follow. Topology 1 In this version, the NOC is located at a remote site and is accessed through the Internet. The MSC is connected to the Internet by way of a broadband modem, and the Internet connection is protected by the MSC s firewall and NAT features. The MSC connects to the VPN server at the NOC using its PPTP client. This provides a secure link through which data can be transferred. RADIUS server VPN server 1.2 1.3 VPN tunnel myvpn.com LAN 192.168.1.0 MSC 1.4 PUBLIC WL AN 1.7 1.5 1.6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 35 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

LAN port Internet port Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Topology 2 In this version the RADIUS server is located on local LAN B. Instead of being directly connected to the Internet, the MSC is also connected to local LAN B which provides a router/firewall to handle the connection to the Internet. 1.2 1.3 RADIUS server 5.1 Router Firewall LAN A LAN B 192.168.1.0 192.168.5.0 1.1 5.2 MSC 1.4 PUBLIC WL AN 1.7 1.5 1.6 Configuration road map On the RADIUS server Define RADIUS accounts for all customers that will use the public access network. Install the MSC 1. Install the MSC as described in its Quickstart guide. 2. If setting up Topology 1, connect the Internet port to a broadband modem and then restart the modem. If setting up Topology 2, connect the Internet port to LAN B. 3. Connect the LAN port to the local area network. 4. Start the management tool. Configure the wireless network By default the MSC is configured to: support 802.11b/g clients automatically choose the best operating channel (frequency) create a wireless network named Colubris Networks There is no need to change these settings for this scenario. Note: By default one radio on the MSC-3300 is used to provide the wireless network and the other is placed into Monitor mode. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 36 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Configure the Internet port 1. Select Network > Ports > Internet port. 2. Select the proper addressing option: For topology 1, select the option supported by your ISP (Topology 1) and click Configure. Define all settings as required. For topology 2, select DHCP client and click Save. Create a VPN connection (Topology 1 only) 1. Select Security > PPTP client. 2. Under Connection, set the PPTP server address to the address of the VPN server (in this example, myvpn.com. 3. Under Account, set Username and Password as required by the VPN server. 4. Click Save. Create a RADIUS profile 1. Select Security > RADIUS. 2. Click Add New Profile. 3. In the Profile name box, assign RADIUS Profile 1 to the new profile. 4. In the Settings box, use the defaults except for Authentication method which must match the method supported by the RADIUS server. 5. In the Primary RADIUS server box, specify the address of the RADIUS server and the secret the MSC will use. Enable RADIUS authentication of customers 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it. 3. On the Add/Edit Virtual Service Community page: Under HTML-based user logins,: Clear the Local authentication checkbox. Select the RADIUS authentication checkbox. For RADIUS profile, select RADIUS Profile 1. Select the RADIUS accounting checkbox. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 37 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Test the public access interface To test your installation, use a wireless client station to log onto the public access interface. (For this to work, the MSC must be configured as the client s default gateway. (This is done by default if the wireless client is using DHCP.) 1. Start the client station s web browser and enter the IP address (or domain name) of a web site on the Internet. 2. The MSC should intercept the URL and display the Login page opens. Specify a valid customer name and password. 3. The Session page will open. 4. Next, you are automatically redirected to the web site you originally requested. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 38 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

LAN port Internet port Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Scenario 2b: Hotspot with custom interface (AAA server) This scenario adds custom settings to the default public access interface used in Scenario 2a. This installation illustrates how to customize the operation of the public access interface when using a AAA RADIUS server. How it works In this scenario a web server is used to store custom pages for the public access interface. The MSC loads these pages each time it is restarted. The following diagrams show how the two topologies described in Scenario 2a can be modified to support layer 2 security. In both cases the configuration procedure is the same. Topology 1 In this version the Web server is located at a remote site and is accessed through the Internet. by way of a VPN tunnel. Web server RADIUS server VPN server 1.2 1.3 VPN tunnel myvpn.com LAN 192.168.1.0 MSC 1.4 PUBLIC WL AN 1.7 1.5 1.6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 39 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

LAN port Internet port Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Topology 2 In this version the Web server is located on local LAN B. 1.2 1.3 RADIUS server Web server 5.1 5.3 Router Firewall LAN A LAN B 192.168.1.0 192.168.5.0 1.1 5.2 MSC 1.4 PUBLIC WL AN 1.7 15 16 Configuration road map Important: Start with the configuration defined in Scenario 2a. Customize the login page and logo 1. Create a folder called newpages on the web sever. 2. Create a file called logo.gif that contains your logo and place it in the newpages folder (recommended size less than 20K). This same image file is shared by all pages. 3. Download the current QuickSetup.zip file from the Colubris Support website. (Go to www.colubris.com and on the home page at left select Support > Product Registration.) 4. Copy the following files from the current QuickSetup.zip file and place them in the newpages folder. login.html transport.html session.html fail.html 5. Edit login.html to meet the requirements of your site, keeping the following restrictions in mind: Do not alter the ID tags <!-- Colubris --> & <!-- Custom --> located at the top of the page. Do not alter any JavaScript code. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 40 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Define attributes on the RADIUS server Define a RADIUS account for the MSC and add the following entries to it. login-page=web_server_url/newpages/login.html transport-page=web_server_url/newpages/transport.html session-page=web_server_url/newpages/session.html fail-page=web_server_url/newpages/fail.html logo=web_server_url/newpages/logo.gif For more information on these attributes, consult the Public Access Administrator Guide. Enable RADIUS authentication of the MSC The MSC will retrieve the configuration attributes defined on the RADIUS server each time it authenticates with the server. 1. Select Security > Authentication. 2. Enable the RADIUS authentication option. 3. Select the RADIUS profile you just defined (RADIUS Profile 1). 4. Specify the username and password the MSC will use to login to the RADIUS server. 5. Click Force authentication. The light should turn green, indicating that the MSC has been successfully authenticated. 6. Click Save. Test the public access interface To test your installation, use a wireless client station to log onto the public access interface. (For this to work, the MSC must be configured as the client s default gateway. This is done by default if the wireless client is using DHCP.) 1. Start the client station s web browser and enter the IP address (or domain name) of a web site on the Internet. 2. The MSC should intercept the URL and display the modified Login page. (Depending on the type of certificate that is installed on the MSC, you may see a security warning first.) 3. To login, specify a valid customer name and password. The Session page should open. 4. Next, you are automatically redirected to the web site you originally requested. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 41 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

LAN port Internet port Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Scenario 2c: Hotspot with satellites and roaming (AAA server) This scenario adds multiple MAPs to extend the wireless network in Scenario 2b. MAP devices can be used to extend the reach of the public access network created by an InMotion MultiService Controller (MSC). How it works In this scenario several MAP devices are connected to an MSC by way of a backbone LAN to provide multiple wireless cells for large physical location. Customers can log into the public access network at any location and can roam between access points without losing their connection. By default, each MAP is configured as a DHCP client and obtains its address from the MSC, which by default is configured as the DHCP server. A RADIUS server (either local or remote) provides services for customer authentication and accounting. Note: This scenario can also be created using an MSC with no radio, in which case wireless cells are only provided by the MAP devices. When using non-radio MSC units, the DHCP server option must be enabled manually on the MSC. The following diagrams illustrate how the two topologies described in Scenario 2b can be modified to support satellites and roaming. In both cases the configuration procedure is the same. Topology 1 Web server RADIUS server VPN server 1.2 1.3 VPN tunnel myvpn.com 192.168.1.0 LAN MAP 1.9 MAP 1.8 192.168.1.0 1.1 MSC PUBLIC WL AN PUBLIC WL AN 1.4 PUBLIC WL AN 1.7 1.5 1.6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 42 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

LAN port Internet port Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Topology 2 1.2 1.3 RADIUS server Web server 192.168.1.0 5.1 5.3 Router Firewall LAN LAN A LAN B MAP 1.9 MAP 1.8 192.168.1.0 192.168.5.0 1.1 5.2 MSC PUBLIC WL AN PUBLIC WL AN 1.4 PUBLIC WL AN 1.7 1.5 1.6 Configuration road map Important: Start with the configuration defined in Scenario 2b. Install the MAPs 1. Install the MAPs as described in the appropriate quickstart guide. 2. Before you connect each unit to the LAN, start the Management Tool and configure each unit as described in the sections that follow. Configure the wireless network By default the MAPs are configured to: support 802.11b/g clients automatically choose the best operating channel (frequency) create a wireless network named Colubris Networks There is no need to change these settings for this scenario. Note: By default, one radio on the MAP-330 and the MSC-3300 is used to provide the wireless network, and the other is placed into Monitor mode. Set the shared secret on the MSC 1. Select Security > Authentication > Advanced Settings. 2. In the Access controller shared secret box, set Shared secret and Confirm shared secret to a unique string. For example: xr2t56. This password will be used by the MAPs to send authentication requests to the MSC. 3. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 43 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Configure the connection to the MSC on the MAPs Configure the following on each MAP. 1. Select VSC > Profiles. 2. Click the Colubris Networks profile to edit it. 3. In the General box, select the Use Colubris access controller check box. 4. Click Save. 1. Select Security > Access controller. 2. Set the Access controller shared secret to match the secret set on the MSC. 3. Click Save. Note: By default the MAP is set up to use the default gateway assigned by DHCP as the access controller. Do not change this setting. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 44 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

LAN port Internet port Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Scenario 2d: Hotspot with layer 2 security (AAA server) This scenario adds support for 802.1x and WPA clients to scenario 2c. Enabling support for 802.1x (with WEP encryption) and WPA protects all wireless transmissions against eavesdropping. How it works This scenario creates three virtual service communities (VSCs) on each device. Each VSC provides support for a different security option: 802.1x (with WEP), WPA, and none. To connect with the wireless network, customers must select the SSID that matches the option that they want to use. Roaming between MAPs is supported, since the same VSCs are defined on all access points. Authentication of client stations occurs as follows: On the SSIDs 8021x and WPA, authentication is handled by way of 802.1x by the MSC using accounts defined on the RADIUS server. These stations do not see the public access interface. On the SSID None, client stations must login through the public access interface and are authenticated by the MSC by way of accounts defined on the RADIUS server. The following diagrams show how the two topologies described in Scenario 2c can be modified to support layer 2 security. In both cases the configuration procedure is the same. Topology 1 Web server RADIUS server VPN server 1.2 1.3 VPN tunnel myvpn.com 192.168.1.0 LAN SSID None MAP SSID 8021x 1.9 SSID WPA SSID None MAP SSID 8021x 1.8 SSID WPA SSID None 192.168.1.0 MSC 1.1 5.2 SSID WPA SSID 8021x - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 45 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

LAN port Internet port Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Topology 2 1.2 1.3 RADIUS server Web server 192.168.1.0 5.1 5.3 Router Firewall LAN LAN A LAN B MAP 1.9 MAP 1.8 192.168.1.0 192.168.5.0 MSC 1.1 5.2 SSID None SSID 8021x SSID WPA SSID None SSID 8021x SSID WPA SSID None SSID WPA SSID 8021x Configuration road map Important: Start with the configuration defined in Scenario 2c. Create VSCs on the MAP Use the following steps to create three virtual service communities on all MAPs. 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as None. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name (SSID) as None. Click Save. 4. On the Virtual Service Communities page, click Add new profile. 5. On the Add/Edit Virtual Service Community page: Under General, enter the Name as WPA. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name (SSID) as WPA. Under Wireless protection: Select the checkbox and leave the default setting of WPA. For Mode, select WPA or WPA2. Leave Key source as RADIUS. Click Save. 6. On the Virtual Service Communities page, click Add new profile. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 46 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 7. On the Add/Edit Virtual Service Community page: Under General, enter the Name as 8021x. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name (SSID) as 8021x. Under Wireless protection: Select the checkbox and select 802.1x. Select the Mandatory authentication checkbox. Select the WEP encryption checkbox. Click Save. Create VSCs on the MSC Use the following steps to create virtual service communities on the MSC that match each VSC you configured on the MAPs: 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as None. Under Virtual AP, enter the WLAN name (SSID) as None. Under HTML-based user logins: Enable RADIUS authentication. For RADIUS profile, select RADIUS Profile 1 (which was defined in Scenario 2a). Click Save. 4. On the Virtual Service Communities page, click Add new profile. 5. On the Add/Edit Virtual Service Community page: Under General, enter the Name as WPA. Under Virtual AP, enter the WLAN name (SSID) as WPA. Under Wireless protection: Select the checkbox and leave the default setting of WPA. For Mode, select WPA or WPA2. Leave Key source as RADIUS. For RADIUS profile, select RADIUS Profile 1 (which was defined in Scenario 2a). Clear the HTML-based user logins checkbox. Under Access controlled, clear the Redirect HTML users to login page checkbox. Click Save. 6. On the Virtual Service Communities page, click Add new profile. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 47 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 7. On the Add/Edit Virtual Service Community page: Under General, enter the Name as 8021x. Under Virtual AP, enter the WLAN name (SSID) as 8021x. Under Wireless protection: Select the checkbox and select 802.1x. For RADIUS profile, select RADIUS Profile 1 (which was defined in Scenario 2a). Select the Mandatory authentication checkbox. Select the WEP encryption checkbox. Clear the HTML-based user logins checkbox. Under Access controlled, clear the Redirect HTML users to login page checkbox. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 48 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Scenario 2e: Using dual radios to support A+B+G traffic This scenario adds support for 802.11a wireless clients to Scenario 2d. Colubris Networks dual radio products can be configured to support the same SSID on two different radios. This enables a single device to support wireless clients regardless of the type of radio they have: 802.11a, b, or g. Important: This scenario is supported by dual-radio units only. How it works In this scenario an MSC 3300 is used in conjunction with two MAP-330s. Both products support dual radios. The radios on all these devices are to operate as follows: Radio 1: 802.11b/g mode Radio 2: 802.11a mode The three wireless profiles created in Scenario 2d are changed to transmit and receive on both radio 1 and radio 2. Customers are now able to connect with regardless of their radio type: 802.11a/b/g. Since 802.11a customers are on a separate radio, they do not share bandwidth with the b/g customers. Note: See scenario 2d for a diagram of the network topology. Configuration road map Important: Start with the configuration defined in Scenario 2d. Configure radio 2 1. Select Wireless > Radios. 2. Under Radio 2: Change Operating mode to Access point only. Change Wireless mode to 802.11a. 3. Click Save. Configure VSC profiles 1. Select Virtual AP > Profiles 2. Edit each VSC created in Scenario 2d (8021x, WPA, and none) as follows: Click the profile name. Under Virtual AP, set Transmit/receive on to Radio 1 and 2. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 49 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Scenario 3: Shared hotspot for public and private traffic In this scenario VLANs and multiple SSIDs are used to enable public and private users to share the same infrastructure with complete security. How it works This scenario shows you how to deploy a wireless network so that it can be shared between company employees and paying customers. It enables you to leverage a single wireless infrastructure to build a hotspot and provide easy access for mobile employees. Employees connect using the SSID Private and are routed to the corporate network on VLAN 50. The MSC authenticates employees using the Corporate RADIUS server. Once authenticated, customer traffic is forwarded on VLAN 50 so that it can reach the corporate intranet. Customers connect using the SSID Public and login using the MSC s public access interface. The MSC authenticates customers using the ISP RADIUS server. Once authenticated, customer traffic is forwarded on VLAN 60 so that it can reach the Internet. Corporate RADIUS server ISP RADIUS server Corporate Intranet Firewall 192.168.5.5 VLAN 50 VLAN 60 Switch VLAN 50 VLAN 60 Employees 192.168.5.1 MSC Employee SSID = Private MAP Guest SSID = Public - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 50 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Configuration road map Define settings on the RADIUS servers 1. On ISPRADIUS create accounts for public users. 2. On CorporateRADIUS create accounts for employees. Install the MSC and MAP 1. Install the MSC and MAP as described in the appropriate quickstart guide. 2. Before you connect each unit to the LAN, start the Management Tool and configure each unit as described in the sections that follow. Configure the MSC Configure the Internet port 1. Select Network > Ports > Internet port. 2. Select No address (Support VLAN traffic only. 3. Click Save. Create two RADIUS profiles 1. Select Security > RADIUS. 2. Click Add New Profile. In the Profile name box, assign CorporateRADIUS to the new profile. In the Settings box, use the defaults except for Authentication method which must match the method supported by the RADIUS server. In the Primary RADIUS server box, specify the address of the RADIUS server and the secret the MSC will use. Click Save. 3. Click Add New Profile. In the Profile name box, assign ISPRADIUS to the new profile. In the Settings box, use the defaults except for Authentication method which must match the method supported by the RADIUS server. In the Primary RADIUS server box, specify the address of the RADIUS server and the secret the MSC will use. Click Save. Create VLANs 1. Select Network > Ports. 2. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as Internet port. Set VLAN ID to 50. Set VLAN name to Private. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 51 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Under Assign IP address via, select Static. Set IP address to 192.168.5.1. Set Mask to 255.255.255.0. Leave Gateway blank. Click Save. 3. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as Internet port. Set VLAN ID to 60. Set VLAN name to Public. Under Assign IP address via, select DHCP client. Click Save. Create VSCs Use the following steps to create two virtual service communities on the MSC: Note: This Private profile must be defined first to enable it to also support wired employees, since untagged incoming traffic on the LAN port is always sent to the first VSC profile. 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as Private. Under General, select the Provide access control checkbox. Under Virtual AP, enter the WLAN name (SSID) as Private. Under VSC ingress mapping, select SSID. Under VSC egress mapping, for Authenticated select Private. Enable HTML-based user logins. Select the RADIUS authentication checkbox. For RADIUS Profile, select CorporateRADIUS. Click Save. 4. On the Virtual Service Communities page, click Add new profile. 5. On the Add/Edit Virtual Service Community page: Under General, enter the Name as Public. Under Virtual AP, enter the WLAN name (SSID) as Public. Under VSC ingress mapping, select SSID. Under VSC egress mapping, for Authenticated select Public. Enable HTML-based user logins. Select the RADIUS authentication checkbox. For RADIUS Profile, select ISPRADIUS. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 52 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Set the shared secret 1. Select Security > Authentication > Advanced Settings. 2. In the Access controller shared secret box, set Shared secret and Confirm shared secret to a unique string. For example: xr2t56. This password will be used by the MAP to send authentication requests to the MSC. 3. Click Save. Configure the MAP Create VSCs 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as Public. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name (SSID) as Public. Click Save. 4. On the Virtual Service Communities page, click Add new profile. 5. On the Add/Edit Virtual Service Community page: Under General, enter the Name as Private. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name (SSID) as Private. Click Save. Configure the connection to the MSC 1. Select Security > Access controller. 2. Set the Access controller shared secret to match the secret set on the MSC. 3. Click Save. Note: By default the MAP is set up to use the default gateway assigned by DHCP as the access controller. Do not change this setting. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 53 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Scenario 4: Delivering custom HTML pages using VLANs (AAA server) This scenario shows you how to split customers onto different VLANs and use this to deliver a customized user experience. How it works In this scenario a hotel assigns customer traffic to a different VLAN based on an access point s location within the building. The MAPs serving the hotel rooms on each floor are configured to return customer traffic on VLAN 40. The MAPs serving the hotel lobby, terrace, and restaurant are configured to return customer traffic on VLAN 50. VLAN 30 is defined for management purposes. It is used by the network administrator to reach the management tool on the MSC and MAPs. One advantage to this strategy is that it enables all devices to have the same SSID (Hotspot, for example), making it easy for customers to connect. Custom content is triggered based on the VLAN ID that customer traffic is mapped to. RADIUS Server MSC VLAN 30 VLAN 40 VLAN 50 VLAN 30 VLAN 40 VLAN 30 VLAN 40 VLAN 30 VLAN 40 VLAN 30 VLAN 50 VLAN 30 VLAN 50 MAP MAP MAP MAP MAP Floor 3 Floor 2 Floor 1 Terasse Restaurant SSID = Hotspot SSID = Hotspot SSID = Hotspot SSID = Hotspot SSID = Hotspot Hotel Rooms Public Spaces In this scenario the MSC is used to provide access control only and does support wireless clients. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 54 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Configuration road map On the RADIUS server Define accounts for the all customers and the MSC. To deliver custom content based on the VLAN, add the following entry to the RADIUS profile for the MSC. welcome-url=web_server_url/premium/welcome.html?vlan=%v Create a server-side script to retrieve the VLAN value and then display a custom Login page as follows: If VLAN = 40, display the customer Login page. If VLAN = 50, display the public access Login page. Install the MSC and the MAPs 1. Install the devices as described in the appropriate quickstart guide. 2. Before you connect each unit to the LAN, start the Management Tool and configure each unit as described in the sections that follow. Configure the wireless network By default the MSC is configured to: support 802.11b/g clients automatically choose the best operating channel (frequency) create a wireless network named Colubris Networks There is no need to change these settings for this scenario. Note: By default, one radio on the MAP-330 and MSC-3300 is used to provide the wireless network and the other is placed into Monitor mode. Configure the MSC Configure the Internet port 1. Select Network > Ports > Internet port. 2. Select the addressing option as required by the LAN and click Configure. 3. Define all settings as required. Create a RADIUS profile 1. Select Security > RADIUS. 2. Click Add New Profile. In the Profile name box, assign RADIUS1 to the new profile. In the Settings box, use the defaults except for Authentication method which must match the method supported by the RADIUS server. In the Primary RADIUS server box, specify the address of the corporate RADIUS server and the secret the MSC will use. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 55 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Enable RADIUS authentication of the MSC The MSC will retrieve the configuration attributes defined on the RADIUS server each time it authenticates with the server. 1. Select Security > Authentication. 2. Enable the RADIUS authentication option. 3. Select the RADIUS profile you just defined (RADIUS Profile 1). 4. Specify the username and password the MSC will use to login to the RADIUS server. 5. Click Force authentication. The light should turn green, indicating that the MSC has been successfully authenticated. 6. Click Save. Create VLANs 1. Select Network > Ports. 2. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as LAN port. Set VLAN ID to 30. Set VLAN name to Management. Under Assign IP address via, select Static. Set IP address to 192.168.30.1. Set Mask to 255.255.255.0. Leave Gateway blank. Click Save. 3. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as LAN port. Set VLAN ID to 40. Set VLAN name to Guest. Under Assign IP address via, select None. Click Save. 4. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as LAN port. Set VLAN ID to 50. Set VLAN name to Public. Under Assign IP address via, select None. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 56 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Create VSCs The following two virtual service communities need to be created on the MSC: Guest: Handles guest traffic on VLAN 40. Public: Handles public traffic on VLAN 50. 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile to edit it. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as Guest. Under General, select the Provide access control checkbox. Under VSC ingress mapping, clear the SSID checkbox. Under VSC ingress mapping, select VLAN then select Guest. Enable HTML-based user logins. Select the RADIUS authentication checkbox. For RADIUS Profile, select RADIUS1. Click Save. 4. On the Virtual Service Communities page, click Add new profile. 5. On the Add/Edit Virtual Service Community page: Under General, enter the Name as Public. Under VSC ingress mapping, clear the SSID checkbox. Under VSC ingress mapping, select VLAN and then select Public. Enable HTML-based user logins. Select the RADIUS authentication checkbox. For RADIUS Profile, select RADIUS1. Click Save. Set the shared secret 1. Select Security > Authentication > Advanced Settings. 2. In the Access controller shared secret box, set Shared secret and Confirm shared secret to a unique string. For example: xr2t56. This password will be used by the MAPs to send authentication requests to the MSC. 3. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 57 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Configure the MAPs Set static addressing and management VLAN 1. Select Network > Ports. 2. Under Port configuration, click Bridge port. Under Assign IP address via, select Static then click the Configure button. Define the following: For each MAP, set IP address to a unique address on the 192.168.30.x subnet. Set Address mask to 255.255.255.0. Set Default gateway to 192.168.30.1. Click Save. Configure management VLAN 1. Select Network > Ports. 2. Under Port configuration, click Port 1. Under VLAN Select the VLAN checkbox. Set VLAN ID to 30. Select the Restrict default VLAN to management traffic only checkbox. Click Save. Configure a VSC 1. Select VSC > Profiles. 2. On the Virtual Service Communities page, click the Colubris Networks profile. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as Hotspot. Under General, select the Use Colubris access controller check box. Under Virtual AP, enter the WLAN name (SSID) as Hotspot. Under Egress VLAN: If the MAP is serving a hotel room, set VLAN ID to 40 (which corresponds to the Guest VLAN). If the MAP is serving a public area, set VLAN ID to 50 (which corresponds to the Public VLAN). Click Save. Configure the connection to the MSC 1. Select Security > Access controller. 2. Set the Access controller shared secret to match the secret set on the MSC. 3. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 58 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Scenario 5: Custom HTML pages on each MAP (local mode) This scenario shows you how to create a customized user experience based on the MAP with which a customer is associated. How it works In this scenario wireless networking for a condo complex is deployed using multiple MAPs and a single MSC. The complex features three buildings, each with several condos serviced by a single MAP. Since the tenant turnover is low, and network access is included in the monthly condo fee, accounting support is not needed. Therefore this scenario does not use a RADIUS server. Instead, all logins are validated by the MSC using a locally defined user list. To offer personalized service for each building, a set of custom web pages are created for each building and stored in a separate folder on a web server. (A third-party server on the Internet is used to keep costs down.) Customers are redirected to the appropriate set of pages based on the location-aware group name assigned to each MAP. Web server Internet port MSC 1.1 LAN port 192.168.1.0 1.2 1.3 1.4 MAP 1 MAP 2 MAP 3 Condo complex 1 Condo complex 2 Condo complex 3 About the location-aware feature This feature, which is enabled by default, permits the MSC to determine the physical location where customers are logging into the network (as well as other information which can used for customer tracking). See the Public Access Administrator s Guide for more information on this feature. This scenario uses the location-aware group name feature to assign a unique name to each MAP. When a customer logs in, the MAP reports this name to the MSC. The name is then used to create a URL to a custom set of pages on the web server. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 59 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Configuration road map Install the MSC and the MAPs 1. Install the devices as described in the appropriate quickstart guide. 2. Before you connect each unit to the LAN, start the Management Tool and configure each unit as described in the sections that follow. Create the custom web pages 1. Create the following folder on the web server: \newpages 2. Create a file called logo.gif that contains a custom logo for the service being offered and place it in \newpages. 3. Download the current QuickSetup.zip file from the Colubris Support website. (Go to www.colubris.com and on the home page at left select Support > Product Registration.) 4. Place a copy of each of the following files from the current QuickSetup.zip file into \newpages. transport.html session.html fail.html 5. Create the following three folders on the web server: \newpages\complex_1 \newpages\complex_2 \newpages\complex_3 6. Create the following three html files in each of the three new folders. Customize each file so that it provide content specific to each condo complex: login.html This is the page tenants will use to log in. The following sample code illustrates how to retrieve login credentials and send them to the MSC for validation. <form action=https://wireless.colubris.com:8090/goform/htmlloginrequest> <input type= text name= username id= username /> <input type= text name= password id= password /> <input type= submit /> </form> welcome.html This is the page tenants will see after their login is approved. It is a standard HTML page and can be customized as required. welcome.html This is the page tenants will see after they logout. It is a standard HTML page and can be customized as required. Configure the MAPs By default each MAP is configured to: Automatically select the best operating frequency. Create a wireless network named Colubris Networks. Act as a DHCP client on its LAN ports. Use the MSC as the access controller. There is no need to change these settings for this scenario. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 60 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 Configure the location-aware group name Set a unique group name on each MAP as follows: 1. Select VSC > Profiles. 2. Click the Colubris Networks profile to edit it. 3. Under General, make sure that the Use Colubris access controller checkbox is selected. 4. Under Location aware: For MAP 1, set Group name to Complex_1. For MAP 2, set Group name to Complex_2. For MAP 3, set Group name to Complex_3. 5. Click Save. Configure the connection to the MSC on the MAPs Each MAP will use the services of the MSC to authenticate customer logins. Do the following on each MAP. 1. Select Security > Access controller 2. Set the Access controller shared secret to the same unique value on all MAPs. For example: xr2t56. This password will be used by the MAPs to connect to the MSC when they send authentication requests. 3. Click Save. Note: By default the MAP is set up to use the default gateway assigned by DHCP as the access controller. Do not change this setting. Configure the MSC Configure the Internet port 1. Select Network > Ports > Internet port. 2. Select the addressing option required by your ISP. 3. Click Configure and define all settings as required. Configure attributes to activate the customized pages 4. Open the Security > Local config page and define the following attributes: The first four attributes provide support for the common pages that are generic for all tenants, and the shared logo file. transport-page=web_server_url/newpages/transport.html session-page=web_server_url/newpages/session.html fail-page=web_server_url/newpages/fail.html logo=web_server_url/newpages/logo.gif The next three attributes provide support for the custom pages. Each time a tenant logs in the MSC calls these pages, replacing the %G with the group name assigned to the MAP that the tenant is associated with. login-url=web_server_url/newpages/%g/login.html welcome-url=web_server_url/newpages/%g/welcome.html goodbye-url=web_server_url/newpages/%g/goodbye.html - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 61 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public access deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 3 By default the MSC blocks access to any resources that are connected to its Internet port until a client station successfully logs in. However, to log in, a client station must be able to load the custom login page hosted on the web server. To solve this problem, an access list definition is added that permits access to the web server for all unauthenticated stations. Access-list=loginpage,ACCEPT,tcp,web_server_URL,80 Use-access-list=loginpage Define the list of condo tenants 1. Select Security > Users. 2. Add usernames and passwords for all condo tenants. Set the shared secret on the MSC 1. Select Security > Authentication > Advanced Settings. 2. In the Access controller shared secret box, set Shared secret and Confirm shared secret to the same value you set on the MAPs. 3. Click Save. Using the public access interface To use the condo internet service, tenant s do the following: Connect to the SSID Colubris Networks using 80211.b or g. Start their web browser and enter the URL wireless.colubris.com which is the URL assigned to the MSC. The MSC will redirect the browser to the login page on the web server. After the tenant logs in and is validated, the Welcome page is displayed. The tenant can now surf the Internet. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 62 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4: Enterprise deployment Chapter 4 Enterprise deployment In this chapter you can find sample deployment strategies for common enterprise scenarios. These scenarios can give you a good idea about how to approach your installation.

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 In this chapter This chapter contains the following scenarios. Scenario See page Scenario 1: Adding secure wireless networking 65 Scenario 2a: Integrating wireless networking with authentication 67 Scenario 2b: Using multiple wireless profiles and QoS 69 Scenario 2c: Supporting wireless phones 71 Scenario 3: Adding wireless networking to a segmented network 73 Scenario 4: Roaming across different subnets (single MSC) 77 Scenario 5: Roaming across different subnets (multiple MSCs) 80 Scenario 6: Access-controlled VSCs and roaming 83 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 64 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Scenario 1: Adding secure wireless networking The MAP makes it easy to add secure wireless connectivity to an existing local area network. How it works In this scenario a MAP is installed on an existing corporate network to provide wireless networking services for employees. Since the MAP functions as a DHCP client and all its ports are bridged, it simply creates a wireless extension to the existing network. Wireless transmissions are protected using WPA with preshared keys, ensuring that network traffic cannot be compromised by eavesdroppers. DCHP server 5.2 5.3 5.4 5.6 Corporate Network 192.168.5.0 5.7 MAP WPA WPA 5.8 5.9 WLAN Configuration road map Install the MAP 1. Install the MAP as described in the quickstart guide. 2. Before you connect the MAP to the LAN, start the Management Tool and configure it as described in the sections that follow. Configure the wireless network By default the MAP is configured to Automatically select the best operating frequency Create a wireless network named Colubris Networks Note: By default one radio on the MAP-330 is used to provide the wireless network, and the other is placed into Monitor mode. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 65 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Configure addressing By default, the MAP is set to operate as a DHCP client. In the sample topology it is automatically assigned the IP address 5.7 by the corporate DHCP server. To make the MAP easier to manage, it may be useful to assign a static IP address to it as follows: 1. Select Network > Ports. 2. Under Port configuration, click Bridge port. 3. Under Assign IP address via, select Static then click the Configure button. 4. Set the static addressing parameters and click Save. Configure a VSC 1. Select VSC > Profiles. 2. Click the Colubris Networks profile in order to edit it. 3. Clear the Wireless security filters checkbox. 4. Under Wireless protection: Select the checkbox and leave the default setting of WPA. For Mode, select WPA or WPA2. For Key source, select Preshared key. For Key and Confirm key, set a unique key value. 5. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 66 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Scenario 2a: Integrating wireless networking with authentication The MAP can easily be integrated into an existing networking infrastructure to provide secure wireless networking by levering an existing RADIUS server. How it works In this scenario a MAP is installed on an existing corporate network to provide wireless networking services for employees. Since the MAP functions as a DHCP client and all its ports are bridged, it simply creates a wireless extension to the existing network. Security for the wireless network is provided using 802.1x. The MAP uses the existing RADIUS server on the corporate network to validate employee logins. RADIUS server DCHP server 5.2 5.3 5.4 5.5 5.6 Corporate Network 192.168.5.0 5.7 MAP 802.1x 802.1x 5.8 5.9 WLAN Configuration road map Install the MAP 1. Install the MAP as described in the quickstart guide. 2. Before you connect the MAP to the LAN, start the Management Tool and configure it as described in the sections that follow. Configure the wireless network By default the MAP is configured to Automatically select the best operating frequency Create a wireless network named Colubris Networks Note: By default, one radio on the MAP-330 is used to provide the wireless network, and the other is placed into Monitor mode. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 67 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Configure addressing By default, the MAP is set to operate as a DHCP client. In the sample topology it is automatically assigned the IP address 5.7 by the corporate DHCP server. To make the MAP easier to manage, it may be useful to assign a static IP address to it as follows: 1. Select Network > Ports. 2. Under Port configuration, click Bridge port. 3. Under Assign IP address via, select Static then click the Configure button. 4. Set the static addressing parameters and click Save. Configure the connection to the RADIUS server 1. Select Security > RADIUS. 2. Click Add New Profile. 3. Under Profile Name, enter Corporate. 4. Under Primary RADIUS server, enter the Server address and Secret for the corporate RADIUS server. Under Confirm, reenter the shared secret. 5. Click Save. Configure a VSC 1. Select VSC > Profiles. 2. Click the Colubris Networks profile to edit it. 3. Clear the Wireless security filters checkbox. 4. Under Wireless protection Select the checkbox. Select 802.1x For RADIUS profile, select Corporate. Select RADIUS accounting. Select Mandatory authentication. 5. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 68 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Scenario 2b: Using multiple wireless profiles and QoS This scenario expands scenario 2a by using virtual service communities to add a variety of wireless services. The MAP can create multiple virtual service communities (VSCs) to support different types of services, including wireless security options, authentication, and quality of service (QoS). How it works In this scenario the MAP provides three different wireless networks and uses QoS settings to prioritize traffic: Employee: This network is for use by all employees. It features 802.1x security and a QoS setting that provides for normal traffic priority. Guest: This network is for use by guests. It features WEP security and a QoS setting that provides for low traffic priority. Guest traffic is restricted using the MAP s security filter capability so that guests traffic can only reach the router for Internet access. For this to work, the DHCP server must be configured to return the router as the default gateway. Video: This network is for video conferencing. It features 802.1x security and a QoS setting that provides for high traffic priority. RADIUS server DCHP server 5.2 5.3 5.4 5.5 5.6 Corporate Network 192.168.5.0 5.99 Router/Firewall SSID=Guest QoS=VAP-based Low 5.7 SSID=Video QoS=VAP-based High SSID=Employee QoS=VAP-based Normal MAP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 69 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Configuration road map Important: Start with the configuration defined in Scenario 2a. Configure VSCs Use the following steps to define the three virtual service communities required for this scenario. 1. Select VSC > Profiles. 2. Click the Colubris Networks profile to edit it. Under Name, enter Employee. Under WLAN name (SSID), enter Employee. Under Virtual AP, QoS priority mechanism, select VAP Based Normal. Clear the Wireless security filters checkbox. Under Wireless protection Select the checkbox. Select 802.1x For RADIUS profile, select Corporate. Select RADIUS accounting. Select Mandatory authentication. Click Save. 3. Click Add New Profile. Under Name, enter Guest. Under WLAN name (SSID), enter Guest. Under Virtual AP, QoS priority mechanism, select VAP Based Low. Under Wireless protection Select the checkbox. Select WEP. Define a set of unique WEP keys. Click Save. 4. Click Add New Profile. Under Name, enter Video. Under WLAN name (SSID), enter Video. Under Virtual AP, QoS priority mechanism, select VAP Based High. Clear the Wireless security filters checkbox. Under Wireless protection Select the checkbox. Select 802.1x For RADIUS profile, select Corporate. Select RADIUS accounting. Select Mandatory authentication. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 70 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Scenario 2c: Supporting wireless phones This scenario adds support for wireless phones to Scenario 2b. The MAP provides two features to support SIP and Spectralink phones: SVP quality of service support and MAC-based authentication. How it works This scenario adds two virtual service communities to provide support for wireless phones. Authentication of phones is accomplished by adding the MAC address of each phone to an internal list maintained on the MAP. Only phones that appear in the list can connect. A separate VSC is added for each type of phones: Spectralink and SIP. RADIUS server DHCP server SIP server 5.2 5.3 5.4 5.5 5.6 Corporate Network 192.168.5.0 5.6 5.99 Router/Firewall SSID=Guest QoS=VAP-based Low 5.7 SSID=Video QoS=VAP-based High SSID=Employee QoS=VAP-based Normal MAP SSID=Spectralink QoS=Diffsrv SSID=SIP QoS=VAP-based High - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 71 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Configure the VSC Important: Start with the configuration defined in Scenario 2a. Add a VSC Use the following steps to define the virtual service community required for this scenario. 1. Select VSC > Profiles. 2. Click Add New Profile. Under Name, enter Phone. Under WLAN name (SSID), enter Spectralink. Under Virtual AP, QoS priority mechanism, leave the default selection Diffsrv, which maps phone traffic to traffic queue 1. Clear the Wireless security filters checkbox. Under MAC Filter Enable the MAC Filter checkbox. Select Allow. Under MAC address, enter the MAC address for each phone. Click Add. 3. Click Add New Profile. Under Name, enter Phone. Under WLAN name (SSID), enter SIP. Clear the Wireless security filters checkbox. Under Virtual AP, QoS priority mechanism, leave the default selection VAPbased Very High, which maps phone traffic to traffic queue 1. Under MAC Filter Enable the MAC Filter checkbox. Select Allow. Under MAC address, enter MAC address for each phone. Click Add. 4. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 72 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Scenario 3: Adding wireless networking to a segmented network With support for VLANs and multiple SSIDs, the MAP provides for seamless integration into an existing segmented network architecture. How it works In this scenario, multiple VSCs are used to provide a wireless architecture that mirrors the segmented configuration of the backbone LAN. Wireless traffic is secured using either 802.1x or WPA and leverages the existing corporate RADIUS server for employee authentication. Since all MAPs are installed on the same network segment, and each features an identical wireless setup, employees are able to roam between wireless cells without losing their network connection. An unprotected guest network is provided, allowing company guests to access the Internet through a wireless connection. RADIUS and DHCP server Server 1 Server 2 Router/Firewall VLAN 40 VLAN 50 VLAN 60 802.1Q trunk Layer 3 switch with trunk port 802.1Q trunk MAP 1 50.2 50.3 MAP 2 LAN port VLAN=50 50.4 SSID=Guest VLAN=40 MAP 3 SSID=Priv_802.1x VLAN=60 SSID=Priv_WPA VLAN=60 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 73 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 About the SSIDs and VLANs This scenario uses the following SSIDs and VLANs: Guest: This SSID has no encryption enabled and is mapped to VLAN 40. This permits guests to access the Internet only. Priv_802.1x: This SSID is defined with 802.1x security and is mapped to VLAN 60. Employee authentication occurs by way of the corporate RADIUS server. Priv_WPA: This SSID is defined with WPA security and is mapped to VLAN 60. Default VLAN: The default VLAN is set to 50. Since all user traffic on the MAP is mapped to either 40 or 60, only management traffic is sent on VLAN 50, which includes all communication with the corporate RADIUS server and configuration activities. For this to work, LAN port 1 must be used to connect the MAP to the corporate network. Addressing details Following are addressing details used in this scenario: The MAPs are connected to the layer 3 switch through LAN port 1. Each MAP has a unique static IP address on the 50.0 segment. Employees on the Guest, Priv_802.1x, and Priv_WPA SSIDs are bridged to the appropriate VLAN. This means that they receive an IP address from the DHCP server on the network. The Layer 3 switch provides routing between VLAN 60 and VLAN 40, enabling employees to access the Internet. Configuration road map Install the MAPs 1. Install the MAP as described in the quickstart guide. 2. Before you connect the MAPs to the LAN, configure them as described in the sections that follow. Configure the wireless network By default each MAP is configured to: Automatically select the best operating frequency Create a wireless network named Colubris Networks There is no need to change these settings for this scenario. Note: By default, one radio on the MAP-330 is used to provide the wireless network, and the other is placed into Monitor mode. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 74 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Define the VLANs and network addressing Define VLANs 40 and 60 so that later they can be mapped to VSCs. 1. Select Network > VLAN. 2. Click Add New VLAN. Under General Leave the Port selection as Port 1. Set VLAN ID to 40. Set VLAN name to Guest. Under Assign IP address via, select DHCP client. Click Save. 3. Click Add New VLAN. Under General Leave the Port selection as Port 1. Set VLAN ID to 60. Set VLAN name to Employee. Under Assign IP address via, select DHCP client. Click Save. 4. Select Network > Ports. 5. Click Bridge port. Under Assign IP address via, select Static, then click Configure. Define static addressing as required by your corporate network. Click Save. 6. Select Network > Ports. 7. Click Port 1. Under VLAN, select VLAN ID and set it to 50. Select the Restrict default VLAN to management traffic only checkbox. Click Save. Configure the connection to the RADIUS server 1. Select Security > RADIUS. 2. Click Add New Profile. 3. For Profile Name, enter Corporate. 4. Under Primary RADIUS server, specify the Server address and Secret for the corporate RADIUS server. Under Confirm, reenter the shared secret. 5. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 75 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Configure the VSCs Use the following steps to define three virtual service communities on each MAP: 1. Select VSC > Profiles. 2. Click Add New Profile. Under General, set Name to Guest. Under SSID, set WLAN name to Guest. Under Egress VLAN, select the VLAN ID of 40, which corresponds to Guest. Clear the Wireless Security Filters checkbox. Click Save. 3. Click Add New Profile. Under General, set Name to Priv_WPA. Under SSID, set WLAN name to Priv_WPA. Under Egress VLAN, select the VLAN ID of 60, which corresponds to Employee. Clear the Wireless Security Filters checkbox. Under Wireless protection: Enable the checkbox and select WPA. Set Mode to WPA or WPA2. For RADIUS profile, select Corporate. Select RADIUS accounting. Select Mandatory authentication. Click Save. 4. Click Add New Profile. Under General, set Name to Priv_8021x. Under SSID, set WLAN name to Priv_8021x. Under Egress VLAN, select the VLAN ID of 60, which corresponds to Employee. Disable the Wireless Security Filters checkbox. Under Wireless protection: Enable the checkbox and select 802.1x. For RADIUS profile, select Corporate. Select RADIUS accounting. Select Mandatory authentication. Click Save. Configure the RADIUS server Configure the RADIUS server to return VLAN 60 for employee accounts. You can do this by setting the following standard RADIUS attributes on the server: tunnel-type=vlan tunnel-medium-type=802 tunnel-private-group-id=60 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 76 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Scenario 4: Roaming across different subnets (single MSC) Colubris supports roaming across different subnets by utilizing MAPs in combination with an MSC. This scenario shows how a single MSC can be used to service MAPs on different subnets. How it works In this scenario multiple MAPs are installed to provide wireless networking coverage on two different subnets. Client stations are able to roam between MAPs without loosing their connection, even across different subnets. The MSC provides centralized management of client sessions to support layer 3 roaming between wireless cells. The MAPs automatically discover the MSC and establishes a secure tunnel with it, through which they can exchange management and control information to support features such as fast authentication and layer 3 mobility. The layer 3 mobility feature is used in this scenario to support client station roaming between subnets. The fast authentication feature enables quick handoff between MAPs on the same subnet. Wireless security is provided by enabling 802.1x on the MAPs, using the services of the RADIUS server to validate logins. Address allocation is provided by the DHCP server for all devices, even wireless client stations. (The routers must be configured to support DHCP relay.) Router Firewall DHCP server RADIUS server 5.1 5.2 5.3 LAN port MSC Router Router 192.168.1.0 192.168.2.0 1.2 1.3 2.2 2.3 MAP A MAP B 1.4 1.5 MAP C MAP D 2.4 2.5 WLAN WLAN WLAN WLAN Area 1 Area 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 77 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Autodiscovery Discovery of MSCs on the same subnet as a MAP is automatic and occurs through Layer 2 broadcasts. Discovery of MSCs on different subnets from a MAP is fully automated if the DHCP server is properly configured. By default a MAP searches for MSCs with the names cnsrv1, cnsrv2, and cnsrv3 on the default domain returned by the DHCP server. In the this example, the DHCP server is configured to return company.lan as the default domain. This means the MAPs will search for MSCs with the following names (in order): cnserv1.company.lan cnserv2.company.lan cnserv3.company.lan By setting up the DHCP server to associate the name cnserv1.company.lan with the IP address of the MSC, the MAPs will automatically be able to find and establish a secure tunnel with it. No configuration is necessary on the MAPs. Configuration road map Install the MAPs and the MSC 1. Install the MAPs as described in the quickstart guide. 2. Before you connect the MAPs to the LAN, configure them as described in the sections that follow. Configure the MAPs Configure the wireless network By default each MAP is configured to: Automatically select the best operating frequency Create a wireless network named Colubris Networks There is no need to change these settings for this scenario. Note: By default, one radio on the MAP-330 is used to provide the wireless network, and the other is placed into Monitor mode. Configure addressing By default, the MAPs are set to operate as a DHCP client. In the sample topology they are automatically assigned IP addresses by the DHCP server (through DHCP relay on the routers). To make the MAPs easier to manage however, it may be useful to assign a static IP address to them as follows: 1. Select Network > Ports. 2. Under Port configuration, click Bridge port. 3. Under Assign IP address via, select Static then click the Configure button. 4. Set the static addressing parameters as required by the network and click Save. Configure the connection to the RADIUS server 1. Select Security > RADIUS. 2. Click Add New Profile. 3. For Profile Name, enter Corporate. 4. Under Primary RADIUS server, specify the Server address (192.168.5.2) and Secret for the corporate RADIUS server. Under Confirm, reenter the shared secret. 5. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 78 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Configure the VSCs Use the following steps to define a virtual service community on each MAP: 1. Select VSC > Profiles. 2. Click the Colubris Networks profile in the list. Under General, set Name to Priv_8021x. Under General, disable Use Colubris access controller. Under SSID, set WLAN name to Priv_8021x. Under Mobility, select the Enable L2 Fast Authentication checkbox. Disable the Wireless Security Filters checkbox. Under Wireless protection: Enable the checkbox and select 802.1x. For RADIUS profile, select Corporate. Select RADIUS accounting. Select Mandatory authentication. 3. Click Save. Configure the MSC Note: To support fast authentication and layer 3 mobility the MSC must have the COS Services Pack license installed. Configure addressing By default, the MSC s LAN port is set to the static IP address 192.168.1.1. For this scenario, the address needs to be changed to 192.168.5.3. 1. Under Port configuration, click LAN port. 2. Under Addressing, set LAN IP port address to 192.168.5.3. 3. Under Addressing, set LAN port mask to 255.255.255.0. 4. Click Save. Note: After clicking Save you will have to reconnect to the management tool using the new address. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 79 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Scenario 5: Roaming across different subnets (multiple MSCs) Colubris supports roaming across different subnets by utilizing MAPs in combination with an MSC. This scenario shows how multiple MSCs can be used, by installing one on each subnet. How it works In this scenario multiple MAPs are installed to provide wireless networking coverage on two different subnets. Client stations are able to roam between MAPs without loosing their connection, even across different subnets. The MSC provides centralized management of client sessions to support layer 3 roaming between wireless cells. The MAPs automatically discover the MSC and establishes a secure tunnel with it, through which they can exchange management and control information to support features such as fast authentication and layer 3 mobility. The layer 3 mobility feature is used in this scenario to support client station roaming between subnets. The fast authentication feature enables quick handoff between MAPs on the same subnet. To support roaming between the subnets, the two MSCs also establish a secure channel with each other to exchange management and control information. One MSC is designated as the primary. In this scenario, it is MSC A. Wireless security is provided by enabling 802.1x on the MAPs, using the services of the RADIUS server to validate logins. Address allocation is provided by the DHCP server for all devices, even wireless client stations. (The router must be configured to support DHCP relay.) DHCP server RADIUS server 5.1 5.2 5.3 Router Firewall 192.168.5.0 MSC A 1.6 Router 2.6 MSC B 1.2 1.3 192.168.1.0 192.168.2.0 2.2 2.3 MAP A MAP B 1.4 1.5 MAP C MAP D 2.4 2.5 WLAN WLAN WLAN WLAN Area 1 Area 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 80 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Autodiscovery Discovery of MSCs on the same subnet as a MAP is automatic and occurs through Layer 2 broadcasts. Discovery of MSCs on different subnets from a MAP is fully automated if the DHCP server is properly configured. By default a MAP searches for MSCs with the names cnsrv1, cnsrv2, and cnsrv3 on the default domain returned by the DHCP server. In the above example, the DHCP server is configured to return company.lan as the default domain. This means the MAPs will search for MSCs with the following names (in order): cnserv1.company.lan cnserv2.company.lan cnserv3.company.lan By setting up the DHCP server to associate the name cnserv1.company.lan with the IP address of the MSC, the MAPs will automatically be able to find and establish a secure tunnel with it. No configuration is necessary on the MAPs. Configuration road map Install the MAPs and the MSC 1. Install the MAP and MSCs as described in the quickstart guide. 2. Before you connect the devices to the network, configure them as described in the sections that follow. Configure the MAPs Configure the wireless network By default each MAP is configured to automatically select the best operating frequency There is no need to change this setting for this scenario. Note: By default, one radio on the MAP-330 is used to provide the wireless network, and the other is placed into Monitor mode. Configure addressing By default, the MAPs are set to operate as DHCP clients. In the sample topology they are automatically assigned IP addresses by the DHCP server. To make the MAPs easier to manage however, it may be useful to assign a static IP address to them as follows: 1. Select Network > Ports. 2. Under Port configuration, click Bridge port. 3. Under Assign IP address via, select Static then click the Configure button. 4. Set the static addressing parameters as required by the network and click Save. Configure the connection to the RADIUS server 1. Select Security > RADIUS. 2. Click Add New Profile. 3. For Profile Name, enter Corporate. 4. Under Primary RADIUS server, specify the Server address (192.168.5.2) and Secret for the corporate RADIUS server. Under Confirm, reenter the shared secret. 5. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 81 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Configure the VSCs Use the following steps to define a virtual service community on each MAP: 1. Select VSC > Profiles. 2. Click the Colubris Networks profile in the list to edit it. Under General, set Name to 8021x. Under General, disable Use Colubris access controller. Under SSID, set WLAN name to 8021x. Disable the Wireless Security Filters checkbox. Under Wireless protection: Enable the checkbox and select 802.1x. For RADIUS profile, select Corporate. Select RADIUS accounting. Select Mandatory authentication. 3. Click Save. Configure the MSCs Note: To support fast authentication and layer 3 mobility the MSC must have the COS Services Pack license installed. Configure addressing By default, the MSC s LAN port is set to the static IP address 192.168.1.1. For this scenario, the address needs to be changed as follows: 1. Select Network > Ports. 1. Under Port configuration, click LAN port. 2. Under Addressing, set LAN IP port address to 192.168.1.6 for MSC A and 192.168.2.6 for MSC B. 3. Under Addressing, set LAN port mask to 255.255.255.0 for both units. 4. Click Save. Configure controller discovery on MSC A 1. Select Management, click Controller discovery. 2. Under Controller discovery: Select the Enable controller discovery checkbox. Select the This MSC is primary checkbox. 3. Click Save. Configure controller discovery on MSC B 1. Select Management, click Controller discovery. 2. Under Controller discovery: Select the Enable controller discovery checkbox. Clear the This MSC is primary checkbox. Set IP address of primary controller to 192.168.1.6. 3. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 82 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Scenario 6: Access-controlled VSCs and roaming This scenario shows you how to use the access control functions on the MSC, while at the same time supporting layer 2 roaming. How it works In this scenario two MAPs are installed to provide wireless networking coverage. DHCP DNS server RADIUS server 192.168.5.0 5.1 5.2 5.3 Router Firewall 5.5 5.4 Router Internet port MSC 192.168.10.1 VLAN 10 (Private) LAN port 192.168.20.1 VLAN 20 (Guest) (DHCP relay enabled on VLAN 10) 192.168.30.1 VLAN 30 (Management) VLAN Switch 192.168.10.2 VLAN 10 (Private) VLAN 20 (Guest) 192.168.30.10 VLAN 30 (Management) MAP A 192.168.30.0 MAP B LAN port 1 LAN port 1 30.10 30.20 192.168.10.3 VLAN 10 (Private) VLAN 20 (Guest) 192.168.30.20 VLAN 30 (Management) SSID Private SSID Guest SSID Private SSID Guest IP=192.168.10.10 Gateway=192.168.10.1 IP=192.168.20.15 Gateway=192.168.20.1 VSCs on the MAPs Each MAP has two VSCs defined on it as follows: Private This VSC is used by employees to access the corporate network. It is not access controlled. It uses 802.1x to provide secure networking and validates logins using the corporate RADIUS server. Once authenticated, employee traffic is forwarded on VLAN 10. Employees are able to roam between MAPs without loosing their connection, even across different subnets. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 83 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Guest This VSC is used by company guests. It is access controlled, which means: Guest authentication is handled by the MSC in conjunction with the RADIUS server, rather than on the MAP. Guests log in through the public access interface that is provided by the MSC. Guests cannot roam between subnets. Roaming is only supported on the same subnet when a VAP is access controlled. The VSC forwards guest traffic to the MSC on VLAN 20. Once authenticated, guest traffic is forwarded through the Internet port on the MSC. An access list definition is used to restrict guest traffic to the router/firewall. This way customers gain access to the Internet but not the corporate network. Addressing Client stations on the Private VSC are assigned addresses on 192.168.10.0 by the DHCP server by way of the DHCP relay function on the router. The DHCP server must return the default gateway as the router (192.168.10.1) for these stations. The MAPs are assigned addresses on 192.168.30.0 by the DHCP server by way of the DHCP relay function on the router. The DHCP server must return the default gateway as the router (192.168.30.1) for the MAPs. Client stations on the Guest VSC are assigned addresses on 192.168.20.0 by the DHCP server by way of the DHCP relay function on the MSC. The DHCP server must return the default gateway as the MSC (192.168.20.1) for these stations. The management VLAN on both MAPs must be configured as the default VLAN on LAN port 1 for compatibility with the auto-discovery feature. The MAPs are assigned addresses on 192.168.30.0 by the DHCP server by way of the DHCP relay function on the router. The DHCP server must return the default gateway as the router (192.168.30.1) for these stations. The corporate DHCP server must be configured to serve addresses on subnet 192.168.20.0 for DHCP requests from the MSC s relay agent, and on subnets 192.168.10.0 and 192.168.30.0 for DHCP requests from the router relay agent. For the DHCP relay function to work on the MSC and on the router, Network Address Translation (NAT) must be disabled on both devices. As a result, routes for the 192.168.10.0, 192.168.20.0 and 192.168.30 subnets must exist on the corporate servers (DHCP, DNS, and RADIUS). Autodiscovery Discovery of an MSC on the same subnet as a MAP is automatic and occurs through Layer 2 broadcasts. Discovery of MSCs on different subnets from a MAP is fully automated if the DHCP server is properly configured. By default a MAP searches for MSCs with the names cnsrv1, cnsrv2, and cnsrv3 on the default domain returned by the DHCP server. In the above example, the DHCP server is configured to return company.lan as the default domain. This means the MAPs will search for MSCs with the following names (in order): cnserv1.company.lan cnserv2.company.lan cnserv3.company.lan By setting up the DHCP server to associate the name cnserv1.company.lan with the IP address of the MSC, the MAPs will automatically be able to find and establish a secure tunnel with it. No configuration is necessary on the MAPs. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 84 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Configuration road map Important: Start with the configuration defined in Scenario 5a. Install the MAPs and the MSC 1. Install the MAP and MSCs as described in the quickstart guide. 2. Before you connect the devices to the network, configure them as described in the sections that follow. Configure the MAPs Configure the wireless network By default each MAP is configured to automatically select the best operating frequency There is no need to change this setting for this scenario. Note: By default, one radio on the MAP-330 is used to provide the wireless network, and the other is placed into Monitor mode. Configure the connection to the access controller By default, the MAPs are configured to use the default gateway returned by the DHCP server as the access controller. In this scenario, the default gateway is not the access controller, therefore the address of the access controller must be statically configured. on both MAPs as follows: 1. Select Security > Access controller. 2. Under Access controller address, select Specify access controller MAC address and specify the MAC address of the MSC LAN port. 3. Click Save. Configure the connection to the RADIUS server 1. Select Security > RADIUS. 2. Click Add New Profile. 3. For Profile Name, enter Corporate. 4. Under Primary RADIUS server, specify the Server address (192.168.5.2) and Secret for the corporate RADIUS server. Under Confirm, reenter the shared secret. 5. Click Save. Create VLANs Three VLANs need to be defined on each MAP. VLAN 10 for employee traffic, VLAN 20 for guest traffic, and VLAN 30 to permit management traffic to reach the MSC. 1. Select Network > Ports. 2. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as LAN port. Set VLAN ID to 10. Set VLAN name to Private. Under Assign IP address via, select Static. On MAP A, set IP address to 192.168.30.2. On MAP B, set IP address to 192.168.30.3. Set Mask to 255.255.255.0. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 85 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Leave Gateway blank. Click Save. 3. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as LAN port. Set VLAN ID to 20. Set VLAN name to Guest. Under Assign IP address via, select None. Click Save. 4. Under Port configuration, click Port 1. Under VLAN Select the VLAN checkbox. Set VLAN ID to 30. Select the Restrict default VLAN to management traffic only checkbox. Click Save. Configure the VSCs Use the following steps to define a virtual service community on each MAP: 1. Select VSC > Profiles. 2. Click the Colubris Networks profile in the list to edit it. Under General, set Name to Private. Under General, disable Use Colubris access controller. Under SSID, set WLAN name to Private. Disable the Wireless security filters checkbox. Under Wireless protection: Enable the checkbox and select 802.1x. For RADIUS profile, select Corporate. Select RADIUS accounting. Select Mandatory authentication. Click Save. 3. Click the Add New Profile button. Under General, set Name to Guest. Under General, enable Use Colubris access controller. Under SSID, set WLAN name to Guest. Disable Wireless protection. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 86 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Configure the MSCs Note: To support fast authentication and layer 3 mobility the MSC must have the COS Services Pack license installed. Configure Internet port addressing By default, the MSC is set to operate a a DHCP client on its Internet port. The DHCP server should be configured to assign the default gateway to be the router/firewall at 192.168.5.3. Enable DHCP relay Enable the DHCP relay option. DHCP requests will be forwarded to the DHCP server assigned to the Internet port. 1. Select Network > Address allocation. 2. Select DHCP relay agent. 3. Click Save. Disable NAT on the Internet port For DHCP relay to work on the MSC, NAT must be disabled on the internet port. 1. Select Network > Ports. 2. Select Internet port. 3. Clear the Network address translation (NAT) checkbox. 4. Click Save. Configure LAN port addressing By default, the MSC s LAN port is set to the static IP address 192.168.1.1. For this scenario, the address needs to be changed as follows: 1. Select Network > Ports. 2. Under Port configuration, click LAN port. 3. Under Addressing, set LAN IP port address to 192.168.20.1. 4. Under Addressing, set LAN port mask to 255.255.255.0. 5. Click Save. Configure the connection to the RADIUS server 1. Select Security > RADIUS. 2. Click Add New Profile. 3. For Profile Name, enter Corporate. 4. Under Primary RADIUS server, specify the Server address (192.168.5.2) and Secret for the corporate RADIUS server. Under Confirm, reenter the shared secret. 5. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 87 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Configure VLANs VLAN 20 needs to be defined to support guest traffic. It will be associated with the Guest VSC. VLAN 30 needs to be defined for management traffic. It is not associated with a VSC. 1. Select Network > Ports. 2. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as LAN port. Set VLAN ID to 20. Set VLAN name to Private. Under Assign IP address via, select None. Click Save. 3. Under VLAN configuration, click Add New VLAN. Under General Leave the Port selection as LAN port. Set VLAN ID to 30. Set VLAN name to Management. Under Assign IP address via, select Static. Set IP address to 192.168.30.2. Set Mask to 255.255.255.0. Leave Gateway blank. Click Save. Configure the guest VSC To handle guest traffic, a matching guest VSC must be created on the MSC as follows: 1. Select VSC > Profiles. 2. Click the Colubris Networks profile in the list to edit it. 3. On the Add/Edit Virtual Service Community page: Under General, enter the Name as Public. Under Virtual AP, enter the WLAN name (SSID) as Guest. Under VSC ingress mapping, disable the SSID checkbox. Under VSC ingress mapping, select the VLAN and then select Guest. Enable HTML-based user logins. Select the RADIUS authentication checkbox. For RADIUS Profile, select Corporate. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 88 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 Define access list To maintain network security, customer traffic needs to be restricted to the route/firewall only. Do this on both MSCs by defining an access list as follows: 1. Select Security > Local config. 2. Click the Add New Attribute button. 3. On the Add/Edit attribute page: Under Attribute, set Name to ACCESS-LIST. Under Attribute, set Value to guest,accept,tcp,192.168.5.3,all Click Add. 4. Click the Add New Attribute button. 5. On the Add/Edit attribute page: Under Attribute, set Name to USE-ACCESS-LIST. Under Attribute, set Value to guest Click Add. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 89 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Enterprise deployment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 90 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 5: WDS scenarios Chapter 5 WDS scenarios In this chapter you can find sample deployment strategies for using the WDS standard wireless distribution system to wirelessly extend and interconnect networks.

Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - WDS scenarios- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 In this chapter This chapter contains the following scenarios. Scenario/Topic See page Wireless bridging considerations 93 Scenario 1: Using RF extension to expand a wired network 94 Scenario 2: Deploying a point-to-point wireless link 98 Scenario 3: Setting up multi-hop wireless links 104 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 92 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - WDS scenarios- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 Wireless bridging considerations Single or dual radios? A single-radio MAPs can be configured to simultaneously support wireless clients and the creation of one or more wireless bridges, Although this is an economical solution, it offers reduced throughput since the total available bandwidth is be shared between the bridge and the wireless clients. A more effective solution is to use a dual-radio MAP, with one radio dedicated to support wireless client stations and the other used for wireless bridging. Another solution would be to used two single-radio MAPs, with one servicing wireless clients and the other dedicated to bridging. Using 802.1a for WDS Colubris Networks recommends using 802.11a for wireless bridging whenever possible. This optimizes throughput and reduces the potential for interference because: Most Wi-Fi clients support 802.11b or b/g, therefore most APs are set to operate in the 2.4 GHz band. This frees the 5 GHz (802.11a) band for use in other applications such as WDS. 802.11a provides more channels and more non-overlapping channels (twelve, including four that are dedicated for point-point use) than 802.11b/g. Assuming an optimal implementation, 802.11a supports up to 54 Mbps for data throughput, providing a fat pipe for Point-Point or Point-Multipoint WDS communications. Keep in mind that there are limitations inherent in using 802.11a, most notably shorter reach when compared to 2.4 GHz-based technology. Even so, 802.11a is a good choice in general for WDS. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 93 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - WDS scenarios- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 Scenario 1: Using RF extension to expand a wired network Extending a wired network using WDS technology is a quick and effective solution for increasing network coverage. How it works In this scenario a corporate network uses three MAPs to provide wireless access for employees. Units 1 and 2 are installed in locations that are currently served by the backbone network. Unit 3 is deployed in an area without cabling support and uses a wireless bridge to link with unit B. Each MAP features two VSCs, one supporting 802.1x and one WPA. Both use the corporate RADIUS server to authenticate wireless clients. The corporate DHCP server assigns addresses to all stations, even those on the other side of the wireless bridge. Employee workstations RADIUS server DCHP server 5.2 5.3 5.4 5.5 5.6 Corporate Network 192.168.5.0 MAP 1 5.7 MAP 2 5.8 5.9 MAP 3 wireless bridge Radio 2 operating in 802.11a mode. 802.11b/g 802.11b/g 802.11b/g Single radio operating in 802.11b/g mode. Radio 1 operating in 802.11b/g mode. Radio 1 operating in 802.11b/g mode. Note: For the bridge to be successful, the wireless cells of units 2 and 3 must overlap, and both units must be operating in the same wireless mode and on the same channel. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 94 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - WDS scenarios- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 Configuration road map Install the MAPs 1. Install the MAPs as described in the quickstart guide. 2. Before you connect the MAPs to the LAN, start the Management Tool and configure all MAPs as described in the sections that follow. Configure the wireless network For optimum performance, the wireless channel used for the wireless bridge should be different and non-overlapping with the channel used to support wireless client stations. One effective way to meet this challenge is to use 802.11b/g mode to support wireless clients and 802.11a mode to create the bridge. Radio 2 will be used to create the bridge on units 2 and 3, Do the following on MAP 2 and MAP 3: 1. Select Wireless > Radios. 2. Under Radio 1: Set Operating mode to Access point only. Set Operating mode to 802.11b + 802.11g. Set Channel to Automatic. 3. Under Radio 2: Set Operating mode to Wireless links only. Set Operating mode to 802.11a. Set Channel to Channel 44. Set Antenna selection to Main antenna. 4. Click Save. Enable the wireless bridge Do the following on MAP 2 and MAP 3: 1. Select Wireless > Wireless links. 2. Click Wireless link #1 to edit it. 3. Under Settings, select Enabled. 4. Under Security: Enable the checkbox. Select WEP. Under 128-bit WP key, enter 26 hexadecimal characters for the key. 5. Under Addressing, set Remote MAC address to the address of wireless port 2 on the other MAP. 6. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 95 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - WDS scenarios- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 Make performance adjustments Make performance adjustments to MAP 2 and MAP 3 with the following steps: 1. Select Network > Discover protocol. 2. Under Discovery protocol settings, select Disabled. (This suppresses the unnecessary generation of CDP packets to improve throughput on the bridge.) 3. Open the Tools > Ping page on one unit and ping the other one to ensure that the bridge is working. 4. Select Status > Wireless. 5. Under Wireless links status, use the SNR value as a guide to adjust the antennas to obtain the best possible value. A value greater than 20 is good. After each change, allow a minimum of two minutes for Link speed to report its new value. Configure addressing By default, the MAPs are set to operate as a DHCP client. In the sample topology they are automatically assigned IP addresses by the DHCP server. To make the MAPs easier to manage however, it may be useful to assign a static IP address to them as follows: 1. Select Network > Ports. 2. Under Port configuration, click Bridge port. 3. Under Assign IP address via, select Static then click the Configure button. 4. Set the static addressing parameters as required by the network and click Save. Configure the connection to the RADIUS server 1. Select Security > RADIUS. 2. Click Add New Profile. 3. Under Profile Name, enter Corporate. 4. Under Primary RADIUS server, enter the Server address and Secret for the corporate RADIUS server. Under Confirm, reenter the shared secret. 5. Click Save. Configure a VSC 1. Select VSC > Profiles. 2. Click the Colubris Networks profile in order to edit it. Under General, set Name to 8021x. Under SSID, set WLAN name to 8021x. Clear the Wireless security filters checkbox. Under Wireless protection: Enable the checkbox and select 802.1x. For RADIUS profile, select Corporate. Select RADIUS accounting. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 96 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - WDS scenarios- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 3. Click Add New Profile. Under General, set Name to WPA. Under SSID, set WLAN name to WPA. Clear the Wireless security filters checkbox. Under Wireless protection: Enable the checkbox and select WPA. Set Mode to WPA or WPA2. For RADIUS profile, select Corporate. Select RADIUS accounting. Select Mandatory authentication. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 97 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - WDS scenarios- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 Scenario 2: Deploying a point-to-point wireless link This scenario shows you how to use a point-to-point wireless bridge to connect two networks located in different buildings. In many cases, it can be more practical and far less expensive to connect two networks wirelessly than by running cable between them. For example, when: the distance between two buildings exceeds Ethernet cabling limits an obstacle (body of water, street, public park) separates the two buildings. the characteristics of one or both buildings precludes adding wires due to safety risks or building code restrictions the link is required for a temporary or short-term solution or needs to be deployed quickly How it works In this scenario two MAPs are used to wirelessly link the networks in two offices located in neighboring buildings, enabling workers in both offices to share data and resources as if they were on the same network. To maximize signal power, directional antennas are used to establish the connection, which must be line-of-sight. Single-radio When using single-radio units with a directional antenna, a local wireless network cannot be created at each office. Instead the MAPs are directly connected to the backbone LANs in each office. antenna wireless bridge Radio operating in 802.11a mode. antenna Employee workstations RADIUS server 5.5 5.4 5.3 5.2 MAP 1 main main MAP 2 5.6 5.7 5.8 5.9 Employee workstations DCHP server 5.1 5.10 Building 1 Building 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 98 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - WDS scenarios- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 Dual-radio With dual-radio units, radio 1 can be used to provide wireless networking, and radio 2 can be used to establish the wireless bridge. Each MAP on radio 1 features two VSCs, one supporting 802.1x and one WPA. Both use the corporate RADIUS server to authenticate wireless clients. antenna wireless bridge Radio 2 operating in 802.11a mode. antenna Employee workstations RADIUS server 5.5 5.4 5.3 5.2 main Radio 1 operating in 802.11b/g mode. MAP 1 MAP 2 main Radio 1 operating in 802.11b/g mode. 5.6 5.7 5.8 5.9 Employee workstations DCHP server 5.1 5.10 Building 1 Building 2 Configuration road map single radio Install the MAPs 1. Install the MAPs as described in the quickstart guide. 2. Attach a directional antenna to the Main radio connector. 3. Before you connect the MAPs to the LAN, start the Management Tool and configure all MAPs as described in the sections that follow. Configure the wireless network 1. Select Wireless > Radio. 2. Under Radio: Set Operating mode to Wireless links only. Set Operating mode to 802.11a. Set Channel to Channel 44. Set Antenna selection to Main antenna. 3. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 99 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - WDS scenarios- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 Configure addressing By default, the MAPs are set to operate as a DHCP client. In the sample topology they are automatically assigned IP addresses by the DHCP server. To make the MAPs easier to manage however, it may be useful to assign a static IP address to them as follows: 1. Select Network > Ports. 2. Under Port configuration, click Bridge port. 3. Under Assign IP address via, select Static then click the Configure button. 4. Set the static addressing parameters as required by the network and click Save. Enable the wireless bridge Do the following on both MAPs: 1. Select Wireless > Wireless links. 2. Click Wireless link #1 to edit it. 3. Under Settings, select Enabled. 4. Under Security: Enable the checkbox. Select WEP. Under 128-bit WP key, enter 26 hexadecimal characters for the key. 5. Under Addressing, set Remote MAC address to the MAC address of the other unit. 6. Click Save. Make performance adjustments Make performance adjustments to MAP 2 and MAP 3 with the following steps: 1. Open the Tools > Ping page on one unit and ping the other one to ensure that the bridge is working. 2. Select Status > Wireless. 3. Under Wireless links status, use the SNR value as a guide to adjust the antennas to obtain the best possible value. A value greater than 20 is good. After each change, allow a minimum of two minutes for Link speed to report its new value. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 100 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - WDS scenarios- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 Configuration road map dual radios Install the MAPs 1. Install the MAPs as described in the quickstart guide. 2. Attach a directional antenna to the Main connector for radio 2. 3. Before you connect the MAPs to the LAN, start the Management Tool and configure all MAPs as described in the sections that follow. Configure the wireless network For optimum performance, the wireless channel used for the wireless bridge should be different and non-overlapping with the channel used to support wireless client stations. One effective way to meet this challenge is to use 802.11b/g mode to support wireless clients and 802.11a mode to create the bridge. Radio 2 will be used to create the bridge. Do the following on both MAPs: 1. Select Wireless > Radios. 2. Under Radio 1: Set Operating mode to Access point only. Set Operating mode to 802.11b + 802.11g. Set Channel to Automatic. 3. Under Radio 2: Set Operating mode to Wireless links only. Set Operating mode to 802.11a. Set Channel to Channel 44. Set Antenna selection to Main antenna. 4. Click Save. Configure addressing By default, the MAPs are set to operate as a DHCP client. In the sample topology they are automatically assigned IP addresses by the DHCP server. To make the MAPs easier to manage however, it may be useful to assign a static IP address to them as follows: 1. Select Network > Ports. 2. Under Port configuration, click Bridge port. 3. Under Assign IP address via, select Static then click the Configure button. 4. Set the static addressing parameters as required by the network and click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 101 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - WDS scenarios- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 Enable the wireless bridge Do the following on both MAPs: 1. Select Wireless > Wireless links. 2. Click Wireless link #1 to edit it. 3. Under Settings: Select Enabled. For Transmit/receive on, select Radio 2. 4. Under Security: Enable the checkbox. Select WEP. Under 128-bit WP key, enter 26 hexadecimal characters for the key. 5. Under Addressing, set Remote MAC address to the MAC address of wireless port 2 on the other unit. 6. Click Save. Make performance adjustments Make performance adjustments with the following steps: 1. Open the Tools > Ping page on one unit and ping the other one to ensure that the bridge is working. 2. Select Status > Wireless. 3. Under Wireless links status, use the SNR value as a guide to adjust the antennas to obtain the best possible value. A value greater than 20 is good. After each change, allow a minimum of two minutes for Link speed to report its new value. Configure the connection to the RADIUS server 1. Select Security > RADIUS. 2. Click Add New Profile. 3. Under Profile Name, enter Corporate. 4. Under Primary RADIUS server, enter the Server address and Secret for the corporate RADIUS server. Under Confirm, reenter the shared secret. 5. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 102 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - WDS scenarios- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 Configure a VSC 1. Select VSC > Profiles. 2. Click the Colubris Networks profile in order to edit it. Under General, set Name to 8021x. Under SSID, set WLAN name to 8021x. Clear the Wireless Security Filters checkbox. Under Wireless protection Enable the checkbox and select 802.1x. For RADIUS profile, select Corporate. Select RADIUS accounting. Click Save. 3. Click Add New Profile. Under General, set Name to WPA. Under SSID, set WLAN name to WPA. Clear the Wireless Security Filters checkbox. Under Wireless protection: Enable the checkbox and select WPA. Set Mode to WPA or WPA2. For RADIUS profile, select Corporate. Select RADIUS accounting. Select Mandatory authentication. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 103 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - WDS scenarios- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 Scenario 3: Setting up multi-hop wireless links The Colubris WDS implementation can be used to provide repeater-like functionality to extend the distance that a wireless bridging solution can span. When signal loss or excessive distance between the two stations precludes the use of a single hop/high gain directional antenna solution, a multi-hop strategy can be used to deploy the service. How it works In this scenario three MAPs are used to create a wireless link between two buildings that are not within direct line of sight. Employee workstations RADIUS server 5.5 5.4 5.3 5.2 antenna Radio 1 operating in 802.11b/g mode. Channel 44 antennas Channel 36 Both radios operating Both radios operating in 802.11a mode. in 802.11a mode. Radio 2 Radio 1 Radio 2 Radio 2 MAP 1 MAP 2 MAP 3 antenna Radio 1 operating in 802.11b/g mode. 5.6 5.7 5.8 5.9 Employee workstations DCHP server 5.1 5.10 Building 1 Building 2 MAP 3 is within line of sight of both MAP 1 and MAP 2. The two radios on MAP 3 are set to operate on different channels to avoid interference and increase throughput. (Every added WDS-link on the same frequency cuts throughput roughly by a factor of two.) This concept can be extended to cover even longer ranges as follows: Channel 44 Channel 36 Channel 44 Channel 36 Radio 2 Radio 1 Radio 2 Radio 1 Radio 2 Radio 1 Radio 2 Radio 2 Radio 1 Radio 1 MAP 1 MAP 2 MAP 3 MAP 4 MAP 5 Building 1 Building 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 104 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - WDS scenarios- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 Configuration road map Install the MAPs 1. Install the MAPs as described in the quickstart guide. 2. Attach directional antennas to the Main radio connectors as follows: On MAPs 1 and 2, attach to radio 2. On MAP 3 attache to both radio 1 and radio 2. 3. Before you connect the MAPs to the LAN, start the Management Tool and configure all MAPs as described in the sections that follow. Configure the wireless network For optimum performance, the wireless channel used for the wireless bridge should be different and non-overlapping with the channel used to support wireless client stations. One effective way to meet this challenge is to use 802.11b/g mode to support wireless clients and 802.11a mode to create the bridge. MAP 1 and MAP 2 configuration 1. Select Wireless > Radios. 2. Under Radio 1: Set Operating mode to Access point only. Set Operating mode to 802.11b + 802.11g. Set Channel to Automatic. 3. Under Radio 2: Set Operating mode to Wireless links only. Set Operating mode to 802.11a. On MAP 1, set Channel to Channel 44. On MAP 2, set Channel to Channel 36. Set Antenna selection to Main antenna. 4. Click Save. MAP 3 configuration 1. Select Wireless > Radios. 2. Under Radio 1: Set Operating mode to Wireless links only. Set Operating mode to 802.11a. Set Channel to Channel 44. Set Antenna selection to Main antenna. 3. Under Radio 2: Set Operating mode to Wireless links only. Set Operating mode to 802.11a. Set Channel to Channel 36. Set Antenna selection to Main antenna. 4. Click Save. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 105 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - WDS scenarios- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 Configure addressing By default MAPs operate as a DHCP client. In the sample topology they are automatically assigned IP addresses by the DHCP server. To make the MAPs easier to manage however, it may be useful to assign a static IP address to them as follows: 1. Select Network > Ports. 2. Under Port configuration, click Bridge port. 3. Under Assign IP address via, select Static then click the Configure button. 4. Set the static addressing parameters as required by the network and click Save. Enable the wireless bridge MAP 1 and MAP 2 configuration 1. Select Wireless > Wireless links. 2. Click Wireless link #1 to edit it. 3. Under Settings: Select Enabled. For Transmit/receive on, select Radio 2. 4. Under Security: Enable the checkbox. Select WEP. Under 128-bit WP key, enter 26 hexadecimal characters for the key. 5. Under Addressing, set Remote MAC address as follows: On MAP 1, set the MAC address of wireless port 1 on MAP 3. On MAP 2, set the MAC address of wireless port 2 on MAP 3. 6. Click Save. MAP 3 configuration 1. Select Wireless > Wireless links. 2. Click Wireless link #1 to edit it. 3. Under Settings, select Enabled. 4. Under Security: Enable the checkbox. Select WEP. Under 128-bit WP key, enter 26 hexadecimal characters for the key. 5. Under Addressing, set Remote MAC address to the MAC address of wireless port 2 on MAP 1. 6. Click Save. 7. Click Wireless link #2 to edit it. 8. Under Settings: Select Enabled. For Transmit/receive on, select Radio 2. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 106 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - WDS scenarios- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 9. Under Security: Enable the checkbox. Select WEP. Under 128-bit WP key, enter 26 hexadecimal characters for the key. 10. Under Addressing, set Remote MAC address to the MAC address of wireless port 2 on MAP 2. 11. Click Save. Make performance adjustments Use the following steps to make performance adjustments to MAP 1 and MAP 2, and then repeat for MAP 2 and MAP 3. 1. Open the Tools > Ping page on one unit and ping the other one to ensure that the bridge is working. 2. Select Status > Wireless. 3. Under Wireless links status, use the SNR value as a guide to adjust the antennas to obtain the best possible value. A value greater than 20 is good. After each change, allow a minimum of two minutes for Link speed to report its new value. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 107 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - WDS scenarios- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 108 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 6: More from Colubris Chapter 6 More from Colubris In this chapter you can find information about the resources that are available to you at the Colubris website, as well as information about how to contact Colubris support, training, and sales.

Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - More from Colubris - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 Colubris.com Visit Colubris.com to access Datasheets, Whitepapers, Case Studies, and Solution Guides. From the left side of the homepage, select Literature in order to view these menu items. Access to this material is free and does not require product registration. For registered customers By registering your product at Colubris.com, you can access the information listed below. To register, simply go to Colubris.com and from the left side of the home page select Support > Product Registration. Complete and submit the Product Registration Form in order to gain access to the support area of the website. Once you register your product purchase with Colubris, you can log in and access the following information: Technical documentation Administrator s guides Quickstart guides Quick setup tools SNMP MIBs Software license agreement Return Material Authorization (RMA) procedures and forms For Annual Maintenance Support Program customers Colubris Networks offers a comprehensive set of annual support programs that focus on the hardware and software content of Colubris' award-winning family of secure Wi-Fi solutions. Annual Maintenance Support Programs provide a broad level of hardware and software assistance that combines various elements of support: Telephone-based technical support Hardware support Software support When visiting Colubris.com, customers who have purchased an Annual Maintenance Support Program can access the following information in addition to the website material discussed above: FAQs Technical notes Release notes Software downloads - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 110 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - More from Colubris - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 Information by telephone and e-mail You can contact Colubris support, training, and sales directly as follows: Colubris Customer Support team: E-mail support@colubris.com Telephone toll-free from within the United States and Canada by dialing 1-866-241-8324, then select option 1 To telephone the Colubris Customer Support team from other countries, dial the International Direct Dialing prefix (IDD) for the country from which you are calling, then dial 1-781-684-0001. Select option 1. You can find a list of IDDs, as well as more information about making international calls, at http://kropla.com/dialcode.htm. Colubris training department: E-mail training@colubris.com Colubris sales information: E-mail sales@colubris.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 111 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - More from Colubris - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 112 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information